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Since  the  start  of  2010,  more  than  250  companies  around  the  world  have 
migrated  workloads  (including  Oracle"  workloads)  to  System  z .  Why?  Maybe 
it’s  the  savings  (up  to  50%  on  applicable  IT  costs).  Or  the  top-rated  EAL5 
security  classification.  Or  because  it  delivers  up  to  99,999%  availability  and 
uptime,  Or  maybe  it’s  an  even  better  reason:  all  of  the  above. 
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IT  COST  SAVINGS  reflect  overall  reductions  In  software  and/or  hardware  maintenance  charges  and  reduced  costs  of  system  and  workload  management  over  a  period  of  3-5  years,  when 
.  consolidating  wjrkloads  from  other  systems  to  a  virtualised  Linux  environment  on  System  z,  AVAIL  ABILITY  percentage  is  based  on  System  z  servers  in  a  Parallel  Sysplex  environment,  assuming 
ripnl«;atsi,i  data  sharing  across  multiple  servers,  Actual  environmental  costs  and  performance  characteristics  will  vary  depending  on  individual  client  configurations  and  conditions,  Contact 
IBM  to  see  what  we  can  do  for  you.  Current  as  of  7/7/2011.  IBM,  the  IBM  logo,  lbm,com,  System  z,  Smarter  Planet  and  the  planet  icon  are  trademarks  of  International  Business  Machines  Corn, 
registered  in  rnany.jurtsdlctions  worldwide.  Other  product  and  service  names  might  be  trademarks  of  IBM  or  other  companies.  A  current  list  of  IBM  trademarks  Is  available  on  the  Web  at 
wwwibmcomAegal/copytrartesbtml,  ©  International  Business  Machines  Corporation  2011. 
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FROM  THE  EDITOR 


Tactics  or 
Strategy?  Yes! 

Don’t  you  have  any  outside  interests  that 
teach  you  lessons  applicable  to  security? 
Of  course  you  do.  Mine  is  chess.  So  it’s 
time  for  my  quasi-annual  chess  column. 
In  my  May  Editor’s  Letter,  I  sideswiped  the 
topic  of  strategy  and  tactics.  The  difference- 
and  balance-between  strategy  and  tactics  is 
very  important  in  chess,  which,  like  security, 
is  a  competitive  endeavor.  You’re  fighting  an 
adversary  who  tries  to  outthink  you. 

Here’s  one  definition  of  the  difference 
between  strategy  and  tactics: 

Strategy  is  deciding  what  you  need  to 
do;  tactics  are  the  specific  steps  you  take  to 
do  it. 

I  agree  that  they  are  two  distinct  things, 
but  they  are  also  inextricably  intertwined. 

It’s  very  hard  to  create  a  meaningful 
strategy  if  you  have  no  tactical  ability.  In  chess, 
many  decent  strategic  players  (especially  older 
ones  like  myself)  lose  to  strategically  inferior 
tactical  wizards  (often  young  kids).  “Clearly 
I  would  have  won  if  I  could  have  gotten  my 
knight  to  that  particular  square,”  says  the 
old  guy  in  the  post-game  discussion.  And  the 
kid  replies,  “Urn,  yeah,  but  you  couldn’t.”  The 
specific  tactics  of  the  position  prevented  the 
execution  of  the  strategy.  So  it  was  a  bad 
strategy. 

On  the  other  hand,  when  a  young  tactician 
plays  a  Grandmaster,  the  kid’s  tactical  prowess 
frequently  never  has  any  impact  on  the  game 
at  all.  The  kid  spends  all  his  time  allotment 
calculating  very  specific  tactical  sequences-”! 
go  here,  he  can  go  there,  then  I  can  take  his 


picture  goals. 

The  end  of  the  year  is  traditionally  a  great 
time  to  pause  and  reflect.  The  strategic  ideas 
presented  here  will  help  you  do  just  that. 

But  don’t  ignore  the  tactics.  You’ll  need 
both  to  win  the  game. 

-Derek  Slater,  dslater@cxo.com 


knight,”  and  so  on.  But  the  Grandmaster 
replies,  “That  may  be,  but  your  position  was 
already  lost  after  you  traded  your  bishop  six 
moves  ago.”  The  Grandmaster’s  strategic 
approach  is  so  much  stronger  that  he  knows 
his  position  will  win  without  having  to  calcu¬ 
late  his  moves,  except  at  a  few  critical  points. 

So  in  your  hands  you  hold  an  issue  of  CSO 
brimming  with  all  kinds  of  ideas,  almost  all 
stolen  (as  is  our  custom)  from  CSOs,  CISOs  and 
other  security  leaders.  Some  of  the  ideas  are 
tactics,  and  some  are  strategies.  Some  cover 
the  minute  details  of  your  job;  some  suggest 
that  you  take  a  step  back  and  adjust  your  big- 
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You’ll  never  know 
who’s  plotting  the  next 
cyber  attack  on  your 
business.  But  with  F5, 
you’re  protected. 

Unlike  traditional 
or  so-called  “next 
generation”  firewalls, 
F5  security  solutions 
identify  the  nature 
and  source  of  digital 
traffic  and  quickly 
adapt  to  threats. 

Attacks  are  blocked 
without  shutting  down 
the  works.  Your 
precious  applications 
and  data  remain 
untouched,  and  your 
defenses  evolve  as 
new  threats  appear. 

Learn  more  at 
f5.com/smartersecurity. 


[  FROM  THE  PUBLISHER  ] 


Naming  Names 

Let’s  call  a  spade  a  spade:  China  is  the 
greatest  threat  to  international  cyber- 
security  on  the  planet. 

I’m  tired  of  pussyfooting  around 
this  issue  the  way  that  I,  and  many  others  in 
security,  industry  and  government  have  been 
for  years.  We  talk  about  the  “threat  from  Asia,” 
the  attacks  perpetrated  by  “a  certain  eastern 
country  with  a  red  flag,”  network  snooping  by 
our  “friends  across  the  Pacific.”  I  swear,  this 
is  like  reading  a  Harry  Potter  book  with  my 
daughter.  “He-Who-Must-Not-Be-Named”  just 
attacked  our  networks. 

Let  me  be  absolutely,  crystal  clear  here. 

In  this  scenario,  China  is  Voldemort.  Clear 
enough? 

We  dance  around  this  issue  because  we 
don’t  want  to  make  China  mad.  God  forbid. 

This  is  cowardly  appeasement.  It’s  like  not 
wanting  to  say  anything  to  the  schoolyard 
bully  who  steals  your  lunch  money  every  day. 

I  understand  the  whole  issue  of  economic 
expediency.  Why  aggravate  China?  It’s  a  huge 
trading  partner.  But  if  that  was  a  legitimate 
argument,  wouldn’t  China  be  asking  itself  that 
same  question?  Why  aggravate  the  United 
States?  It’s  a  huge  trading  partner! 

I  do  not  accept  the  argument.  We  know 
that  if  a  business  opens  an  office  in  China,  it’s 
going  to  lose  whatever  intellectual  property 
it  has  there.  We  know  that  when  we  send  our 
executives  to  China,  the  Chinese  government 
will  be  pilfering  their  laptops  and  cell  phones. 

If  that  wasn’t  the  case,  then  why  would  we  give 


our  execs  throwaway  phones  and  laptops? 

(And  if  you  aren’t  doing  that,  we  should  prob¬ 
ably  talk.)  The  threat  is  real,  and  it’s  about 
time  we  do  something  about  it. 

I  was  pleased  to  see  U.S.  counterintelli¬ 
gence  chief  Robert  Bryant  come  out  and  finger 
the  Chinese  (and  the  Russians),  calling  their 
economic  espionage  a  “national,  strategic 
long-term  threat  to  the  United  States.”  Better 
late  than  never.  China’s  actions  kill  jobs  and 
economic  opportunity  for  all  of  us,  and  should 
not  be  tolerated. 

Like  Harry  Potter,  I’m  not  afraid  of  saying 
my  enemy’s  name.  China,  Voldemort,  what¬ 


ever.  As  long  as  we  tolerate  it,  the  problem  will 
only  get  worse.  Time  for  us  to  stand  up  and  call 
it  what  it  is. 

-Bob  Bragdon,  bbragdon@cxo.com 
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Our  society's  attention  toward  physical  security 

and  public  safety  has  exploded  in  recent  years.  It  only 
takes  a  casual  trip  to  the  neighborhood  shopping  mall 
to  witness  the  noticeable  increase  in  security  officers 
and  cameras  that  have  come  to  pervade  our  daily  lives. 
Video  surveillance  is  at  the  heart  of  many  security 
systems  because  it  helps  security  officials  respond  in 
real-time  to  threats,  store  footage  for  later  analysis, 
provide  usable  evidence  in  court,  monitor  assets  and 
staff  productivity,  and  comply  with  regulations. 


BY  ALEXANDER 
FERNANDES 
PRESIDENT  AND  CEO, 
AVIGILON 


Whitepaper  available 
at  www.csoonline.com/ 
whitepapers/avigilon 


aviGiLon 

THE  BEST  EVIDENCE' 


Today,  most  installed  surveillance  systems  use  analog 
technology,  which  results  in  grainy  footage  because 
of  the  low  resolution  of  the  cameras  and  poor-quality 
recording  equipment.  Yet  a  much  higher  level  of  image 
quality  is  now  available  with  high-definition  (HD)  digi¬ 
tal  video  surveillance  technology. 

The  perceived  higher  cost  of  HD,  however,  means  that 
organizations  are  not  jumping  to  upgrade.  New  HD 
components  must  also  be  compatible  with  existing 
analog  surveillance  equipment  and  IT  infrastructure, 
and  may  require  advanced  IT  knowledge  to  install. 

Avigilon  has  responded  to  both  the  demand  and  the 
barriers  for  the  adoption  of  HD  surveillance  by  architect¬ 
ing  a  complete  system  that  leverages  the  latest  technol¬ 
ogies  available  to  deliver  the  best  image  detail,  yet  also 
eases  the  burden  of  cost,  installation  and  support. 

Our  HD  Network  Video  Management  Software  and 
megapixel  cameras  have  been  designed  to  capture 
and  preserve  the  highest  quality  surveillance  foot¬ 
age  possible.  Our  proprietary  High-Definition  Stream 
Management  (HDSM)  technology  compresses  and 
preserves  image  quality,  while  intelligently  managing 
image  transmission  so  you  can  minimize  storage  and 
network  bandwidth  costs.  Our  system  is  also  straight¬ 
forward  to  install  since  it  runs  on  an  existing  IT  infra¬ 
structure  and  is  compatible  with  analog  cameras.  This 
compatibility  also  means  that  an  organization  doesn't 
have  to  convert  everything  to  digital  at  once. 


Can  you  afford  to  upgrade?  Avigilon  customers  say,  "yes." 
Customers  have  shared  that  HD  video  is  less  expensive 
than  analog  when  considering  costs  from  a  total  system 
perspective.  Here  are  just  a  few  reasons  why: 

>  Since  our  cameras  are  IP-based,  you  only  need  to 
install  a  single  Ethernet  cable  to  run  the  camera. 
Analog  cameras  require  a  coaxial  cable  and  a 
power  cable,  which  doubles  the  labor. 

>  Our  megapixel  cameras  offer  extremely  high-res¬ 
olution  images,  so  you  can  use  far  fewer  cameras 
to  cover  an  area  compared  with  analog  cameras. 
In  fact,  just  one  of  our  29  MP  cameras  can  replace 
95  analog  cameras. 

>  IT  and  security  personnel  can  easily  manage  the 
Avigilon  Control  Center  software  without  the 
need  for  costly  training. 

Already,  we  are  seeing  rapid  adoption  of  HD  systems 
in  gaming,  casinos  and  retail  environments,  assecurity 
officials  and  executives  understand  the  advantages  of 
HD.  The  higher-quality  HD  video  enables  retailers  to 
use  surveillance  systems  for  not  only  theft  prevention 
and  public  safety,  but  for  valuable  applications  such  as 
analyzing  traffic  flow  and  staffing  productivity. 

As  government  and  industry  security  regulations 
place  pressure  on  companies  and  government  agen¬ 
cies,  we  expect  HD  systems  will  make  up  80  percent 
of  total  video  surveillance  sales  in  just  three  to  four 
years.  Helping  customers  make  this  transition,  without 
threatening  profits  and  cash  flow  in  this  tough  econo¬ 
my,  is  our  top  priority  at  Avigilon. 

www.avigilon.com 

Alexander  Fernandes  is  President,  CEO,  Chairman, 
Co-Founder  of  Avigilon.  Fernandes  has  more  than  20 
years  of  industry  experience  leading  companies  that 
develop,  manufacture  and  market  high-end  digital  imag¬ 
ing  technologies  to  a  broad  range  of  markets. 
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BLOG  POST 

New  Position, 

Positioned 

Wrong 

A  few  months  ago,  Sony 
announced  that  it  had  cre¬ 
ated  a  new  CISO  position, 
reporting  directly  to  the 
CIO,  in  response  to  the 
attacks  against  PlayStation.  I’m  encour¬ 
aged  by  the  fact  that  Sony  realizes  they  need 
someone  focused  on  data  security,  but  dis¬ 
couraged  that  that  person  will  be  reporting 
to  the  CIO,  who  almost  always  has  a  conflict 
of  interest  and  so  often  reduces  the  CISO  to 
a  figurehead.  CIOs  are  typically  responsible 
for  IT  and  systems  that  support  enterprise 
operations,  and  they  need  those  systems  to 
be  high-performing  and  feature-rich,  but 
security  often  cramps  that  style. 

If  I  were  CEO  of  a  multinational  enter¬ 
prise  such  as  Sony,  MassMutual  or  SAP,  I 
would  have  my  CISO  report  to  the  most 
senior  risk  executive  in  the  company  and 
have  that  executive  report  to  me.  I  would 
create  a  nested  risk-based  approach  to  data 
and  information  protection.  For  example, 
application  security  would  be  part  of  a  larger 
information  security  group,  which  would  be 
part  of  a  larger  risk  group,  which  would  be 
responsible  for  assessing  risk  in  the  context 
of  business  continuity  and  operations. 

Security  and  risk  are  elements  of  every 
person’s  job,  and  the  group  that’s  respon¬ 
sible  for  security  is  in  charge  of  assur¬ 
ing  the  dissemination  and  absorption  of 
those  security  and  risk  ideas— the  security 
group  should  make  it  part  of  the  culture 


as  opposed  to  doing  all  the  security  work 
itself.  This  would  be  my  yin  to  the  CIO  and 
IT  yang  of  faster,  cheaper,  more  efficient 
automation  of  data  management. 

Companies  like  Thomson  Financial, 
Liberty  Mutual  and  SAP  had  it  right,  in  my 
opinion,  but  then  changed  things— which 
sent  their  CSOs  running  and  significantly 
weakened  their  security  posture  overall. 

—Ed  Adams 


BLOG  POST 

Securing 
Mobile  Data  at 
the  App  Layer 

Most  mobile  device  appli¬ 
cations  have  serious 
security  vulnerabilities. 

These  flaws  include 
the  storage  and  trans¬ 
mission  of  unencrypted  data,  poor  ses¬ 
sion  handling  and  data  leakage.  McAfee 
addresses  many  of  these  management  and 


compliance  challenges  through  its  Mobile 
Security  Strategy. 

The  Open  Web  Application  Security 
Project’s  (OWASP)  Mobile  Security  Proj¬ 
ect  focuses  on  the  security  of  the  applica¬ 
tions  that  enrich  the  user  experience  on 
mobile  devices.  According  to  its  contribu¬ 
tors,  it  “is  a  centralized  resource  intended 
to  give  developers  and  security  teams  the 
resources  they  need  to  build  and  maintain 
secure  mobile  applications.” 

The  project  focuses  on  the  top  ten  mobile 
risks  and  will  launch  with  a  discussion  of 
risk  number  one:  insecure  data  storage. 
The  controls  recommend  to  mitigate  these 
risks  include  encryption,  data  classification 
and  session  management. 

Gartner’s  analysis  of  upcoming  mobile 
application  trends  highlights  the  need  for  a 
rigorous  secure  software  development  life- 
cycle.  This  includes  financial  applications, 
location-based  services  and  mobile  health 
monitoring. 

Data  Classification:  OWASP  rec¬ 
ommends  that  processing,  storage  and 
transmission  of  data  be  consistent  with  its 
classification.  Developers  should  consider 
data  sensitivity  when  creating  models  from 
which  information  will  be  queried  and 
processed. 

They  should  also  communicate  with 
business  stakeholders  to  identify  the  stages 
where  data  classification  changes.  The  Uni¬ 
versity  of  Florida  has  composed  a  mobile 
device  data  classification  policy  incorporat¬ 
ing  OWASP’s  recommendations. 

Access  Control:  The  increased  usage 
of  mobile  devices  to  access  financial  con¬ 
tent,  such  as  online  banking  and  credit  card 
management  sites,  makes  a  compelling  case 
for  strong  access  controls.  According  to  a 
study  by  Stephen  Perelson  and  Reinhardt 
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>>  DISCUSSION 


Botha,  there  are  three  key  security 
services  that  developers  should 
address: 

1.  Authentication:  The  appli¬ 
cation  must  confirm  the  claimed 
identity. 

2.  Confidentiality:  The  applica¬ 
tion  does  not  disclose  information 
erroneously.  OWASP  advises  that 
applications  be  programmed  to  col¬ 
lect  and  disclose  only  the  data  that  is 
required  for  business  use. 

3.  Integrity:  The  application 
attempts  to  mitigate  the  risk  of  data 
corruption. 

Encryption:  Consider  the  data 
that  gets  exposed  to  the  applications 
on  your  smartphone:  information 
about  your  contacts,  credentials  to 
your  email  accounts,  and  possibly 
credentials  to  financial  sites,  just  to 
name  a  few. 

A  survey  of  too  consumer  mobile 
applications  conducted  by  Via- 
Forensics  found  that  7 6  percent  of 
apps  stored  unencrypted  user  cre¬ 
dentials.  The  survey  also  found  that 
private  data  could  be  recovered  from 
60  percent  of  these  applications.  The 
risk  of  credential  sniffing  or  session 
hijacking  is  enhanced  for  those  users 
who  leave  active  sessions  open  on  a 
website. 

OWASP  recommends  that  data 
stored  on  or  transmitted  by  mobile 
devices  be  encrypted.  The  choice  of 
encryption  solution  will  vary  depend¬ 
ing  on  the  enterprise’s  requirements. 
In  any  case,  developers  should  design 
code  that  does  not  store  or  cache  sensi¬ 
tive  unencrypted  data. 

All  sensitive  data  should  be  trans¬ 
mitted  to  a  server  via  a  secure  network 
connection  and  deleted  from  the 
mobile  device.  Sensitive  data  should 
be  stored  in  an  encrypted  form  if  net¬ 
work  connectivity  is  unavailable. 

Data  Purging:  Data  retention 
considerations  extend  beyond  the 
familiar  concerns  in  handling  data 
outside  of  software  applications. 
OWASP  warns  that  applications 
retaining  data  beyond  the  period 
required  for  processing  increases  the 
chance  of  data  leakage. 

It  advises  that  developers  destroy 
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sensitive  data  such  as  GPS  coordi¬ 
nates  or  financial  data  once  an  appli¬ 
cation  uses  it.  Additionally,  all  data 
that’s  stored  for  longer  than  a  specified 
retention  period  should  be  deleted. 

The  Kill  Switch:  According  to  a 
study  by  the  Department  of  Health 
and  Human  Services,  over  116  cases 
of  mobile  device  loss  or  theft  led  to 
the  exposure  of  at  least  500  patient 
records  between  September  2009 
and  May  2011. 

This  is  but  one  instance  where 
applications  lacked  access  to  the 
common  API  that  allows  the  dele¬ 
tion  of  data  or  disabling  of  the  device 
remotely.  OWASP  recommends  that 
this  API  is  accessible  by  all  applica¬ 
tions  that  store  or  process  data  on  the 
device. 

—Steve  Fox 
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Data-Centric 
Security  Against 
Tomorrow's  Threats 


How  have  data  and  data  management 
evolved,  and  why  is  it  important  to 
today's  enterprise  IT? 

I  don’t  think  anyone  20  years  ago  could  have 
predicted  the  explosion  in  the  amount  of 
data  that  is  available  at  everyone’s  fingertips 
today— specifically  across  enterprises  but 
also  flowing  all  the  way  up  from  and  down  to 
the  consumer.  And  because  of  legal  compli¬ 
ance  requirements,  more  and  more  data  is 
accumulated,  despite  the  fact  that  getting 
sensitive  data  out  of  your  system  is  a  way  to 
start  reducing  risk. 

Then  you  look  at  the  ways  organizations 
are  dependent  on  this  data  to  function,  and 
you  quickly  see  that  it’s  the  lifeblood  in  most 
of  today’s  businesses. 

Give  some  examples  of  new  kinds  of 
data  breaches. 

The  modern  attack  these  days  is  getting  in 
through  what  are  referred  to  as  zero-day 
mechanisms,  meaning  that  no  amount  of 
perimeter  defense  can  prevent  them.  They 
are  malware  attacks  that  can  steal  the  cre¬ 
dentials  of  a  valid  user  and  make  their  way 
to  the  internal  networks  via  techniques  such 
as  spear-phishing,  SQL  injection,  or  rogue 
USB  storage  devices.  Once  they’re  on  the 
network,  they  can  inherit  the  permissions 
of  a  trusted  user  and  find  their  way  over  to 
more  important  assets. 

Why  doesn't  the  traditional  approach  of 
data  protection  work? 

The  conventional  approach  is  to  create 
moats  around  your  castle  to  keep  out  un¬ 
wanted  intruders.  In  IT  terms,  these  moats 
are  firewalls  and  smart  screen  filters.  The 
problem  is  that  people  are  exchanging  data 
in  the  clear  with  a  wide  variety  of  business 
partners  in  a  variety  of  ways— mobile,  cloud 
and  outsourcing— in  spite  of  the  information 
security  risks.  So  the  traditional  approach  of 


setting  up  barriers  to  prevent  infiltration  is 
not  even  relevant  to  these  data  flows. 

Explain  the  data-centric  approach. 

From  the  very  first  point  of  entry,  the  data, 
structured  or  unstructured,  is  encrypted. 

As  it  is  used  across  data  centers,  public  and 
private  clouds  and  mobile  devices— in  use, 
in  transit,  or  at  rest— it  remains  encrypted. 
That’s  important  because  in  the  event  of 
a  breach,  the  theft  of  data  is  minimized. 

It  makes  the  cost  of  a  breach  much,  much 
higher. 

What  does  Voltage  do  to  support  the 
data-centric  approach? 

Voltage  technology,  including  Format- 
Preserving  Encryption,  Identity-Based 
Encryption  and  stateless  key  management, 
provides  a  single  platform  with  data-centric 
encryption  and  tokenization  that  accom¬ 
modates  business  processes  consuming  both 
structured  and  unstructured  data. 

This  platform  helps  our  customers  pro¬ 
tect  their  data  and  files  in  a  variety  of  ways, 
including  in  production  data  centers  and 
public  clouds,  QA  and  preproduction  envi¬ 
ronments,  on  desktops  and  mobile  devices, 
across  the  payment  processing  cycle,  and 
among  employees,  partners  and  customers. 

We  have  top  executives  in  the  biggest 
banks  in  the  world  who  say  the  cost  of  own¬ 
ership,  time  to  deployment  and  a  short  time 
to  realize  a  return  on  investment— even  on 
mission  critical  legacy  infrastructure  such  as 
the  mainframe— are  key  criteria  for  choosing 
Voltage.  Our  stateless  key  management  ap¬ 
proach  brings  a  reduced  TCO  as  there  is  no 
need  for  data  replication  across  data  centers, 
and  it  greatly  simplifies  disaster  recovery  and 
overall  architecture.  It  also  lets  our  custom¬ 
ers  scale  exponentially  to  accommodate 
business  needs,  and  embrace  data-level 
security  in  and  out  of  the  cloud.  ■ 
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Staff  Shortcomings  May  Be  as  Big  a  Risk 
as  Obsolete  Technology,  Surveys  Say 


It’s  no  secret  that  attacks  are  rising  in  num¬ 
bers  and  complexity,  so  it  should  also  come 
as  no  surprise  that  enterprises  are  having  a 
hard  time  keeping  certain  types  of  attacks 
at  bay. 

These  include  DNS  attacks,  network  layer 
denial-of-service  (DoS)  attacks  and  attacks  on 
encrypted  data. 

The  attacks  are  costly:  The  typical  annual 
tally,  for  those  polled  for  a  recent  Applied 
Research  survey,  is  about  $682,000.  More 
than  half  the  enterprises  surveyed  said  the 
attacks  hurt  workers’  productivity,  43  percent 
said  they  lost  data,  and  31  percent  said  they 
lost  revenue. 

Additionally,  organizations  said  attacks 
caused  them  to  lose  customer  trust,  incur 
regulatory  fines  and  suffer  the  theft  of  money 
or  other  goods. 

The  survey  was  commissioned  by  F5 
Networks  and  got  responses  from  1,000  large 
organizations  in  10  countries. 

It  also  found  that  traditional  security 
technologies  are  not  keeping  up  with  current 
threats. 

For  instance,  42  percent  of  respon¬ 
dents  said  they  experienced  a 
firewall  failure  due  to  network- 
layer  DoS  traffic  load  this  year, 
and  36  percent  reported  such  a 
failure  during  application-level 
DoS  attacks. 

Survey  respondents  didn’t 
have  much  faith  that  their  security  sys¬ 
tems  could  parse  traffic  context  well  enough 
to  protect  against  complex  attacks  any  more 


effectively  than  “somewhat  well.” 

In  an  attempt  to  quantify  the  impact  of 
these  attacks,  Applied  Research  combined 
survey  results,  including  the  top  three  most 
frequent,  difficult  and  high-impact  attacks 
reported,  to  develop  its  Cyber  Attack  Index. 
According  to  its  findings,  DNS  attacks  were 
the  most  dangerous,  followed  by  network  DoS 
attacks,  accessing  encrypted  data,  miscon- 
figurations,  and  application  layer  DoS 
attacks. 

Also  noteworthy  is  that 
a  large  portion  of  security 
professionals  are  not  familiar 
with  attack  techniques  that 
are  commonly  known  among 
hackers  and  penetration  testers. 
More  than  30  percent  of  respon¬ 
dents  weren’t  familiar  with  directory  traversal, 
cross-site  request  forgery,  application  layer 


DoS,  or  cross-site  scripting  attacks. 

That  lack  of  industry  knowledge  was 
touched  on  in  another  Applied  Research 
survey.  The  2011  Threat  Management  Survey, 
sponsored  by  Symantec,  found  that  gaps  in 
security  technologies  combine  with  insuf¬ 
ficient  staffing  and  lack  of  confidence  in  that 
staff  to  pose  the  greatest  challenge  to  security. 

In  fact,  a  surprising  57  percent  of  the  1,025 
surveyed  said  that  they  don’t  have  confidence 
in  the  ability  of  their  IT  security  staffs  to 
respond  to  new  and  emerging  threats. 

About  half  of  those  who  lacked  confidence 
said  that  insufficient  security  staff  was  a  top 
factor.  In  total,  43  percent  of  organizations 
reported  being  “somewhat”  or  “extremely” 
understaffed. 

In  North  America,  even  more  companies 
were  short  staffed,  with  53  percent  citing  a 
staffing  deficit.  -George  V.  Hulme 
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“The  whole  concept  of  security 
is  a  big  mind-set  change.” 

-ALAN  NUTES,  SENIOR  MANAGER  OF 
SECURITY  AND  INCIDENT  MANAGEMENT, 


NEWELL  RL 
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LEADERSHIP 

Getting  Stuff  Done:  Public  vs.  Private  Sector 


Veteran  security  leader  Alan 
Nutes  on  the  key  differences 

hen  Alan  Nutes  joined  Newell  Rub¬ 
bermaid  earlier  this  year  as  senior 
manager  of  security  and  incident 
management,  he  was  returning 
to  the  corporate  world  after  a  hiatus  of  21 
months  in  the  public  sector.  Nutes’  time  in  the 
public  domain  contrasts  sharply  to  the  rest  of 
his  career,  particularly  when  it  comes  to  how 
security  initiatives  are  approved. 

For  instance,  at  the  City  of  Atlanta’s  Depart¬ 
ment  of  Watershed  Management,  where  Nutes 
was  security  manager,  anything  over  $20,000 
required  approval  from  the  city  council,  which 
could  take  months  or  even  a  year.  In  addition, 
most  security  programs  were  only  launched  to 
shore  up  critical  infrastructure  or  in  response 
to  government  regulations.  “If  it  wasn’t  con¬ 
sidered  critical,  chances  are  the  city  would  not 
have  done  it,”  Nutes  says. 

At  Newell  Rubbermaid,  on  the  other  hand, 


there’s  no  set  limit  to  a  purchase  order-the 
gating  factor  is  educating  business  unit 
leaders  on  best  practices  and  the  need  for 
increased  security  measures.  “One  facility  is 
[subject  to  Department  of  Homeland  Security 
regulations]  because  it  deals  with  chemicals, 
but  everything  else  is  education,  education, 
education,  and  explaining  security  needs,” 
Nutes  says. 

The  global  security  program  at  Newell  Rub¬ 
bermaid  is  just  two  years  old  and  was  formed 
as  part  of  an  overall  initiative  begun  in  2005 
to  create  corporation-wide  business  services. 
Nutes  is  in  charge  of  business  continuity  and 
organizational  resilience  for  120  locations  in 
North  America.  So  far,  he  has  been  working 
with  business  units  on  risk  assessments,  in 
addition  to  developing  security  policies  and 
procedures. 

The  five-year  plan  is  to  create  a  global 
security  operating  center  for  North  America 
and  Latin  America,  ultimately  extendingto 
Europe  and  Asia. 


But  first,  the  company  had  to  standardize 
physical  security  devices.  “We  did  a  gap  analy¬ 
sis  and  discovered  a  mishmash  of  systems,  so 
we’re  creating  a  standard  for  access  control, 
cameras  and  badging  systems,”  Nutes  says. 
Individual  business  units  are  responsible  for 
budgeting  for  these  new  requirements,  and 
that’s  where  the  education  really  comes  in,  he 
says.  “The  whole  concept  of  security  is  a  big 
mind-set  change,”  he  says.  “The  biggest  thing 
is  convincing  them  it’s  needed.” 

It  helps  that  Nutes  has  the  backing  of 
senior  management  and  the  internal  audit 
organization.  He  also  works  with  coordinators 
at  each  facility,  either  in  the  human  resources 
or  facilities  departments,  who  help  champion 
the  security  goals. 

“It’s  been  an  amazing  experience  to  see 
how  many  groups  are  supportive-they  just 
need  to  be  walked  through  the  process,”  he 
says.  “I’ve  been  very  fortunate  in  what  I’ve 
been  able  to  accomplish  in  six  months.” 

-MaryBrandel 
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MALWARE 

Analyst:  Duqu  Is 
All  a  Bunch  of  Hype 

In  a  blog  post,  eEye  chief  researcher  Marc  Maiffret  says  far  too  much  is  being 
made  of  the  Duqu  threat. 

He  writes  an  analysis  dripping  with  sarcasm,  noting  that  “the  world  is 
indeed  coming  to  an  end”  because  Duqu  is  supposed  to  be  based  on  Stuxnet 
and  is,  as  FoxNews.com  says,  “the  Hydrogen  Bomb  of  Cyberwarfare.” 

He  writes: 

“The  fuss  is  being  made  because  some  anonymous  researchers  sent  a  report 
to  some  anti-virus  companies  showing  analysis  of  some  new  malware  that  shared 
similar  characteristics  to  Stuxnet.  This  has  of  course  led  people  to  make  all  sorts 
of  outlandish  claims  of  what  this  means  and  how  bad  it  all  is. 

“The  reality,  however,  is  that  while  Duqu  and  Stuxnet  might  share  character¬ 
istics  within  their  code  and  how  they  embed  into  a  system,  it  becomes  apples 
and  oranges  to  draw  any  more  comparisons  than  that.  What  made  Stuxnet 
revolutionary  was  not  how  it  compromised  systems  using  zeroday,  or  how  it 
backdoored  systems,  but  rather  its  unique  ability  to  actually  implant  code  into 

physical  systems  to  cause  actual  damage  in 
the  real  world  outside  of  cyberspace. 

“It’s  not  that  Duqu  doesn’t  deserve  to  be 
taken  seriously  in  its  own  right.  Researchers 
have  backed  off  the  Stuxnet  link  in  recent 
days,  but  vulnerabilities  targeted  by  this 
malware  have  been  concerning  enough  for 
Microsoft  to  issue  warnings.” 

It’s  the  hydrogen  bomb  analogy  Maiffret 
finds  tough  to  swallow. 

“The  capabilities  of  Duqu,  while  maybe 
structured  like  Stuxnet,  are  not  unique  to 
Stuxnet  or  Duqu.  In  fact,  a  lot  of  the  com¬ 
mand  and  control  functionality  that  is  acces¬ 
sible  by  attackers  leveraging  Duqu  is  not 
much  different  than  any  of  the  functionality 
you  get  in  common  botnet  malware.  The  ability  to  list  processes,  take  screen 
shots,  log  keystrokes,  load  modules,  grab  system  information,  etc....  is  all  func¬ 
tionality  that  a  wide  variety  of  malware  backdoor  programs  have  these  days.  One 
could  argue  that  it  is  hard  to  actually  write  any  modern  piece  of  malware  these 
days  that  does  not  include  various  functionality  and  characteristics  from  Duqu, 
Stuxnet,  Aurora  and  so  on  and  so  forth.” 

He  adds: 

“I  am  not  typically  a  fan  of  anonymous  research  reports  that  are  quickly 
regurgitated  by  large  anti-virus  companies  to  drive  ‘sky  is  falling’  headlines. 

What  you  end  up  getting  is  exactly  what  we  have  now...major  news  media  outlets 
and  security  industry  publications  blowing  everything  out  of  proportion,  using 
‘what-if’  and  ‘maybe’  quotes.  There  is  an  utter  lack  of  facts  and  scientific  rigor 
in  any  discussions.  There  was  one  security  publication  that  quoted  a  security 
company  representative  as  saying,  ‘Duqu  could  be  the  precursor  to  another 
SCADA-type  attack.  Or  the  events  could  be  entirely  independent.’  I  understand 
that  sound  bites  can  be  hard  to  say,  but  our  industry  is  honestly  becoming  more 
and  more  hype-oriented  by  giving  sloppy,  fear-mongering  quotes  with  little  to  no 
factual  information  to  back  any  of  it  up.” 

-Bill  Brenner 


LngRh yt M  m 

The  Platform  for 
Cyber  Threat  Defense, 
Detection  &  Response. 

Take  the  Cyber  Threat 
Readiness  Quiz  at: 

My  Security  Score,  com 


December  2011/January  2012  www.csoonline.com  13 


>>  BRIEFING 


SALTED  HASH 


Bad  Security  PR  Watch 

This  security  public  relations  firm  should  read 
its  press  releases  before  sending  them  out 

ON  OCCASION  I  show  you  some  of  the  more  awkward  press  releases 
I  receive  from  PR  firms  trying  to  get  media  coverage  for  their  security 
clients.  But  rushing  out  a  press  release  with  misinformation,  incorrect 
details  and  empty  hype  is  not  serving  a  client  well. 

Someone  recently  noted  that  it’s  not  the  PR  firm’s  fault  because 
the  vendors  tell  them  what  to  put  in  press  releases  to  attract  attention. 
That’s  hooey. 

A  PR  firm’s  job  is  to  help  vendors  manage  their  message  respon¬ 
sibly.  If  they  just  do  what  they’re  told  and  put  out  nonsense,  they  fail 
their  client,  not  to  mention  all  the  security  practitioners  who  are  rely¬ 
ing  on  publications  like  CSO  for  actionable  information. 

So  I  feel  the  need  to  poke  fun  at  a  PR  email  I  got  about  the  Duqu 
threat.  To  preserve  some  dignity  for  the  PR  person  and  vendor,  I’ll 
leave  names  out.  Here  is  the  message,  with  my  comments  in  italics: 
“VENDOR  X  Protects  Against  Son  of  Stuxnet  Duqu  now!” 

We’re  in  trouble  as  soon  as  we  reach  the  headline.  The  PR  scribe 
neglected  to  mention  that  researchers  have  backed  off  calling  Duqu  the  Son 
of  Stuxnet  because,  after further  analysis,  they  found  that  despite  some  com¬ 
mon  features,  Duqu  and  Stuxnet  have  been  designed  to  do  different  jobs,  one 
very  targeted,  the  other  more  general. 

“Just  a  quick  update  that  Microsoft  has  issued  a  temporary  fix 

to  guard  against 
Duqu,  the  recently 
spotted  malware 
that  in  some  ways 
resembles  the  highly 
dangerous  Stuxnet 
worm.  However,  the 
patch  only  deals 
with  the  Microsoft 

Word  side  of  the  equation;  users  will  still  be  vulnerable  to  Duqu  mal¬ 
ware  with  other  types  of  documents  like  PDFs  or  Excel  attachments.” 

That  paragraph  sounded  familiar  to  me.  I  eventually  realized  it  came 
from  a  TechNewsWorld  article  I  saw  earlier.  It  borrows  from  the  article 
almost  verbatim,  without  properly  sourcing  it. 

“Duqu  is  a  zero-day  vulnerability  that  is  part  of  an  installer  appli¬ 
cation  used  to  install  the  malware,  so  a  patch  to  remedy  the  software 
vulnerability  does  not  protect  against  the  actual  Duqu  malware.  Duqu 
has  been  identified  as  malware  that  was  likely  written  by  the  same 
people  who  created  the  highly  dangerous  Stuxnet  worm,  which  had 
infiltrated  Iranian  nuclear  installations.  Duqu  is  primarily  a  remote 
access  Trojan  that  is  targeted  toward  organizations  for  their  specific 
assets.” 

Duqu  is  not  a  vulnerability.  It  is  a  piece  of  malware  that  exploits  vulner¬ 
abilities  like  the  one  Microsoft  is  working  to  fix. 

“VENDOR  X  anti-malware  is  known  for  its  strength  against 
zero-day  malware  and  its  unparalleled  ability  to  recognize  malware 
it  has  never  seen  before.  VENDOR  X’s  PRODUCT  delivers  proactive 

protection  against  malware.  If  you’d  like  _  „„  .  , 

.  „  ,  ,  .  ■  CSOonlme’s  new  Salted 

more  information,  please  don  t  hesitate 

x  xx  „  ’  .  .  ...  ■  Hash  blog  and  newsletter 

to  contact  me...”  (End  of  email.) 

,  ,  .....  .  ,  ...  ...  ■  covers  the  news  as  it 

I  don  t  think  I  ll  be  calling  this  person 

,  ,  „  „  ■  happens:  blogs.csoonhne 

back.  -B.B.  ■  ...  , 

■  xom/blog/cso 


FRAUD 

Most  Fraud  Is 
an  Inside  Job, 
Survey  Shows 

Fraud  rates  dipped  slightly  this  year, 

according  to  figures  from  the  Kroll  Annual 
Global  Fraud  Report.  But  frauds  are 
increasingly  being  committed  by  the  folks 
right  under  your  nose  at  work. 

Fraud  cost  organizations  2.1  percent  of 
earnings  in  the  past  12  months,  which  is  equiv¬ 
alent  to  a  week  of  revenue  over  the  course  of  a 
year,  according  to  the  Kroll  report,  a  recently 
released  survey  that  polled  more  than  1,200 
senior  executives  worldwide. 

The  research  does  contain  some  good 
news,  however,  and  found  a  decline  in  the 
frequency  of  fraud  over  last  year.  Of  the  execu¬ 
tives  polled,  75  percent  said  their  companies 
had  suffered  some  kind  of  fraud-related  loss 
in  the  last  12  months,  which  is  down  from  88 
percent  in  the  year  before. 

However,  fraud  remains  predominantly  an 
inside  job,  according  to  the  report,  and  inside 
jobs  increased  this  year. 

The  2011  figures  show  that  60  percent  of 
frauds  are  committed  by  insiders,  up  from  55 
percent  last  year. 

“It’s  important  to  keep  in  mind  these  are 
only  the  cases  in  which  the  perpetrator  is 
known,”  says  Richard  Plansky,  senior  manag¬ 
ing  director  in  Kroll’s  business  intelligence 
and  investigations  practice.  “I  think  it’s  a 
fair  inference  that  the  percentage  is  actually 
significantly  higher  when  we  take  into  account 
all  fraud  cases.  From  what  we  are  seeing  here 
over  the  last  seven  years,  this  exact  finding  is 
a  reflection  of  an  economy  that  is  increasingly 
information-based.” 

That  translates  into  more  concern  among 
executives,  said  Plansky.  Overall,  fraud 
concerns  rose  approximately  15  percent,  led 
by  information  theft,  corruption  and  bribery. 

-Joan  Goodchild 


14  www.csoonline.com  December  2011/January  2012 


Photo  by  Eric  Gaillard/Reuters 


Q&A 

HOW  TO  HAVE  REAL 
RISK  MANAGEMENT 

Our  coverage  of  the  annual  Global  Information  Security  Survey  conducted  by 
CSO  and  CIO  magazines  in  partnership  with  PricewaterhouseCoopers  has 
sparked  some  interesting  discussions  about  what  it  takes  to  be  a  security 
leader.  Specifically,  the  discussion  is  about  how  organizations  can  move  from 
being  a  security  laggard  to  something  better.  As  part  of  those  discussions,  we  spoke 
with  Andy  Ellis,  CSO  at  Akamai  Technologies.  Ellis  is  responsible  for  overseeing  the 
security  architecture  and  compliance  of  the  company’s  globally  distributed  network 
and  sets  the  strategic  direction  of  its  security. 

CSO:  What  attributes  must  an  enterprise  leader  in  risk  management  have? 

Ellis:  This  is  a  hard  thing  to  measure.  I  think 
the  important  thing  is  that  organizations  actually 
understand  the  risks  that  apply  to  them,  and  that 
they  make  intelligent  decisions  based  on  that 
risk  profile.  These  are  the  organizations  that  are 
actually  out  front,  leading  the  way,  defining  new 
risk  models  for  themselves  and  selecting  technolo¬ 
gies  and  solutions  that  are  appropriate  for  their 
business. 

Companies  seem  to  be  spending  a  lot  on 
security  products,  but  not  as  much  on  strate¬ 
gic  efforts.  Do  you  think  it's  indicative  of  their 
already  having  effective  strategies  in  place?  Or  are  they  focusing  on  just  the 
technology? 

In  a  down  economy,  you  probably  aren’t  spending  time  revamping  your  strategy. 
Hopefully,  you’re  executing.  That  would  be  my  guess  as  to  what  a  lot  of  these 
organizations  are  doing.  I  think  what  you  could  be  seeing  is  organizations  saying 
“Look,  I’m  not  going  to  try  to  rebuild  my  business  continuity  plan  this  year.  It’s  not 
like  we  actually  added  a  thousand  people.  I  can  run  with  the  existing  plan.  It’s  much 
more  important.  Let’s  go  execute  on  the  strategy  that  we  didn’t  finish  from  last 
year.”  I  think  industry  often  spends  more  time  thinking  about  strategy  and  less  time 
executing.  That’s  what  we’re  seeing  in  the  survey  results:  “Hey,  let’s  protect  our  jobs 
by  going  and  executing  on  what  people  can  see.”  Many  times  enterprises  can’t  see 
a  strategic  change  in  security,  and  if  management  can’t  see  it,  it  may  not  have  much 
perceived  value. 

A  lot  of  companies  seem  to  be  skimping  on  disaster  recovery  and  business 
continuity  planning.  Do  you  think  there’s  a  reason  for  this  beyond  it  not  being 
a  priority,  or  organizations  believing  bad  things  won’t  happen  to  them? 

You  have  to  look  at  it  individually.  For  many  businesses,  that’s  a  risk  they  have 
to  take.  I  recall,  after  9/11,  there  was  an  investment  company  that  was  praised  for 
its  business  continuity  plan.  It  was  one  of  the  investment  companies  that  had  been 
in  the  World  Trade  Center,  and  everybody  was  holding  it  up  as  this  example  of  great 
business  continuity  planning.  It  had  a  good  plan  in  place  and  it  kept  the  business 
running  after  the  attack.  Three  years  later,  the  company  was  out  of  business.  The 
reason  was  that  it  didn’t  actually  have  a  business  continuity  plan  that  dealt  with 
how  to  keep  the  business  successful  after  losing  so  many  skilled  knowledge  workers. 
The  point  is  that  there  are  some  events  that  are  not  worth  planning  for.  And  some 
companies  can’t  afford  to  put  a  disaster  recovery  plan  in  place.  Not  everything  is  in 
our  control.  So  one  of  the  important  things  to  focus  on  is,  How  will  the  organization 
run  its  incident  response  after  the  event?  That  is  the  most  important  thing  to  make 
sure  an  organization  has  in  place.  -G.V.H, 
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Security 

Wisdom 

Watch 


Thumbs  Up:  Adobe.  To  the  cheers 
of  many  a  security  practitioner, 
Adobe  announced  it  will  not  proceed 
with  plans  for  a  Mobile  Flash  player. 
Instead,  it  will  focus  on  HTML5.  That 
means  the  eventual  end  of  Flash  every¬ 
where.  Considering  Flash’s  history  of 
security  holes,  we  see  this  as  a  positive 
development. 

Thumbs  Both  Ways:  The  Depart¬ 
ment  of  Justice.  The  agency 
charged  seven  people  with  27 
counts  of  wire  fraud  and  other 
computer-related  crimes,  put¬ 
ting  a  big  dent  in  an  operation 
that  hijacked  4  million  computers 
across  100  countries  in  a  sophisticated 
dick-jacking  scheme.  But  as  we've  seen 
before,  big  arrests  rarely  keep  fraud 
operations  like  this  down  for  long. 

Thumbs  Down:  Security  PR.  We’re 
seeing  an  alarming  increase  in 
PR  pitches  that  treat  new  threats 
with  needless  hype  and  fear  in 
an  attempt  to  get  publicity  for  their 
vendor  clients.  The  latest  examples  are 
showing  up  in  discussion  of  the  Duqu 
malware  that  PR  agencies  keep  calling 
the  “Son  of  Stuxnet,’’  despite  the  lack  of 
evidence  that  the  two  are  related. 

Thumbs  Both  Ways:  Apple.  Apple 
banned  security  researcher  Charlie 
Miller  from  its  developer  program 
for  creating  an  apparently 
benign  iOS  app  that  was 
actually  designed  to  exploit  a 
security  flaw  he  had  uncovered 
in  the  firmware.  We  usually  hate  it 
when  vendors  do  this  because  it’s  a  sign 
they  would  rather  hide  security  holes 
than  acknowledge  and  fix  them.  But  in 
this  case,  it  appears  Miller  violated  the 
developer  agreement. 

-Compiled  from  various  reports 
pubHshedatCSOonWne.com 


Verbatim... 


Shots  heard  ’round  the  security  world 


“Pm 

mad.  I  report  bugs 
to  them  all  the  time. 
Being  part  of  the  developer 
program  helps  me  do  that. 
They’re  hurting  themselves, 
and  making  my  life  harder.” 

-Security  researcher  Charlie  Miller,  who  was 
bounced  from  Apple’s  developer  program 
for  creating  an  iOS  app  designed  to  exploit 
a  security  flaw  he  had  uncovered  in  the 
firmware.  Apple  says  his  methods 
violated  its  program  rules. 


“Flash 

Player 

won’t  go  away 
anytime  soon, 
but  HTML5  is  the 
future  of  the  Web.” 

-Gartner  analyst  Ray 
Valdes,  after  Adobe 
announced  it  will  stop 
developing  Flash  Player 
for  mobile  browsers 
in  favor  of  HTML5. 


“We  will  continue  to 
leverage  our  experience  with  Flash 
to  acceferate  our  work  with  the  W3C 
and  WebKitto  brin^ similar  capabilities 
to  HTML5  as  quickly  as  possible.” 

-Danny  Winokur,  the  Adobe  executive  in  charge 
of  interactive  development,  regarding  the 
decision  to  shelve  mobile  Flash  plans. 


“YOU 

could  open 
every  cel  I  door, 
and  the  system 
would  be  telling  the 
control  room  they 
are  all  closed.” 


“Duqu 
is  a  zero-day 
vulnerability  that  is  part 
of  an  installer  application 
used  to  install  the  malware, 
so  a  patch  to  remedy  the 
software  vulnerability  does 
not  protect  against  the 
actual  Duqu  malware.” 

-Story  pitch  from  a  PR  representative 
who  evidently  thinks  malware  and 
vulnerabilities  are  the  same  thing. 


-John  J.  Strauchs,  a  former  CIA 
operations  officer  who  helped 
develop  a  cyberattack  on  a 
simulated  prison  computer 
system  and  described  it  at 
a  hacker  conference  in 
Miami  last  month. 
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CLOUD  COMPUTING 

Companies  Sweat  Cloud’s 
Security,  Proceed  Anyway 

It’s  no  secret  that  organizations  are  concerned  about  their  ability  to  secure  and 
maintain  regulatory  compliance  in  their  cloud  deployments.  However,  just  as 
concerns  around  credit  card  security  didn’t  seem  to  noticeably  stall  the  adoption 
of  e-commerce  on  the  Web,  security  concerns  haven’t  stopped  or  even  noticeably 
slowed  cloud  adoption. 

A  recent  Forrester  ForrSight  survey  shows  that  67  percent  of  large  enterprises 
are  using  cloud  computing  infrastructure-as-a-service  (laaS)  platforms  to  support 
production  applications.  That’s  greater  than  the  61  percent  saying  they  use  laaS  for 
testing  and  development. 

Evidence  is  mounting  that  enterprises  are  no  longer  using  cloud  primarily  for 
testing,  training  and  demonstrations;  now  they’re  using  it  in  crucial  production  sys¬ 
tems.  So  it’s  interesting  to  read  that  the  research  firm  the  Ponemon  Institute  found 
organizations  not  only  don’t  have  a  handle  on  important  aspects  of  cloud  security, 
they  are  also  well  aware  that  they  don’t. 

More  than  half  of  survey  respondents,  52  percent,  rated  their  organization’s 
overall  management  of  cloud  server  security  as  fair  (27  percent)  or  poor  (25  per¬ 
cent).  Twenty-one  percent  didn’t  have  any  comment  on  their  ability  to  secure  their 
cloud  servers.  Further,  42  percent  expressed  concern  that  they  wouldn’t  know  if 
their  organizations’  applications  and  data  were  compromised  by  an  open  port  on  a 
server  in  a  cloud. 

The  study,  “Cloud  Security:  Managing  Firewall  Risks,"  was  sponsored  by  cloud 
security  firm  Dome9  Security  and  polled  682  U.S.-based  IT  and  IT  security  practitio¬ 
ners  whose  organizations  rely  on  hosted  or  cloud  servers. 

When  asked  why  organizations  are  continuing  to  move  to  cloud  while  admitting 
they  don’t  have  a  strong  grasp  of  how  to  secure  their  systems,  Dave  Meizlik  says  it 
comes  down  to  habit.  “Many  people  aren’t  used  to  having  to  directly  secure  their 
servers.  They  have  segmented  networks  and  perimeter  firewalls  that  take  care  of 
that  for  them,”  says  Meizlik,  vice  president  of  marketing  and  business  development 
at  Dome9.  “People  follow  the  processes  that  they  know  and  are  used  to.” 

According  to  the  study,  61  percent  of  respondents  say  their  organization  does  not 
have  a  cloud  server  firewall  management  product.  Of  those  who  do  not,  62  percent 
say  it  is  because  they  are  not  scalable,  59  percent  say  it’s  because  they  cost  too 
much,  and  57  percent  say  it’s  because  such  products  are  not  available  to  them. 

This  study’s  findings  mirrored  those  of  a  recent  Ponemon  security  study,  spon¬ 
sored  by  encryption  and  key-management  firm  Vormetric,  which  found  that  of  the 
1,000  IT  security  and  compliance  officers  questioned,  less  than  half  believe  their 
organizations  have  the  technology  needed  to  secure  their  cloud  deployments. 

-G.V.H. 
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COVER  STORY 


Looking  for  inspiration?  Want  to  learn  a  few  new 
ways  to  elevate  your  security  game?  Can  you  spare 
five  minutes  to  think  strategically  and  long-term 
instead  of  just  putting  out  another  fire? 

Then  look  no  further.  We’ve  combed  through  our 
archives  and  come  up  with  some  of  the  best  and  most  useful 
ideas  for  running  a  great  security  program. 

Some  are  big  ideas;  some  are  very  small.  They  cover 
new  trends  and  age-old  dilemmas.  These  tidbits  come  from 
security  practitioners,  industry  experts  and  some  other 
all-around  smart  folks.  We  present  them  to  you  here  in  bite- 
sized  pieces,  with  topics  intentionally  intermingled  to  help 
get  your  creative  juices  flowing. 

TIP:  Get  your  highlighter.  Read  until  you  hit  an  idea  you 
like.  Flag  it.  Then  go  try  it.  Come  back  again  when  you’re 
ready  for  another  idea.  We’ll  be  here. 


IGet  a  mentor  who’s  younger 
than  you  are.  How  else  will  you 
understand  and  effectively  lead  (or  follow) 
a  different  generation?  This  recommenda¬ 
tion  comes  from  James  Beeson,  CISO  of 
GE  Commercial  Finance. 


tions,  thinking  and  decisions,”  says  Tim 
Williams,  global  security  director  for 
Caterpillar. 

www.csoonline.com/article/688812 

Make  sure  the  CEO  is  wearing 
his  access  badge.  Sure,  a  good 
awareness  program  might  ask  employees 
to  check  on  one  another  to  ensure  they 
are  wearing  badges  or  ID.  But  what  if 
management  is  neglecting  to  follow  the 
rules?  Tim  Giles,  former  head  of  security, 
says  it  is  a  physical  security  mistake  he 
sees  all  the  time. 

“I  tell  them,  you  have  to  make  a  choice. 
If  you  are  going  to  have  badge-wearing 
program,  you  have  to  wear  the  badge.  If 
you’re  not  going  to  wear  one,  do  away  with 
the  program  because  if  you  don’t  wear  it, 
you  undermine  the  program.” 
www.csoonline.com/article/50l467 


Nurture  dissent  in  your  team.  “I 

solicit  people  to  challenge  man¬ 
agement.  That  is  so  critical.  It  creates 
much  better  decisions  when  people  can 
respectfully  and  openly  challenge  assump- 


4  Practice  listening.  To  hone  your 
negotiation  skills,  start  with  open¬ 
ing  your  ears. 

“Active  listening  is  a  bunch  of  relatively 
simple  skills.  One  is  asking  questions  to 
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clarify  what  the  other  person  said,”  says 
Chris  Voss,  a  former  FBI  negotiator  and 
head  of  the  Black  Swan  Group,  a  firm 
that  specializes  in  business  and  security 
negotiations. 

Another  is  paraphrasing— saying 
back  to  the  other  person,  in  your  own 
words,  what  you  think  he  just  said.  This 
is  helpful  because  then  “the  other  person 
gets  to  hear  how  their  communication  was 
received  and  whether  or  not  it  has  been 
heard  correctly.” 

www.csoonline.com/article/595563 


Enable  password-protected 
screen  savers.  They’re  simple  and 
free— what’s  not  to  love? 

6  Can’t  decide  on  one  business 
solution?  Come  up  with  gold,  silver 
and  bronze  options.  “Help  the  business 
understand  the  risks  associated  with  each 
option,  then  let  its  members  make  the  final 
selection,”  says  Dan  Lohrmann,  CTO  of  the 
state  of  Michigan.  Just  be  sure  not  to  offer 
any  alternatives  that  you  can’t  live  with. 
www.csoonline.com/article/641819 


Keep  the  Best,  Destroy  the  Rest 

7  KNOWTHE DIFFERENCE 
BETWEEN  RECORDS 
AND  BACKUPS... 

The  first  step  to  a  good  records-manage- 
ment  program  is  simply  identifying  what 
a  record  is.  Sure,  the  email  servers  and 
network  drives  get  backed  up  at  the  end  of 
the  day  or  week.  You  need  those  backups  to 
keep  the  business  running.  But  a  record,  technically,  is  something  that 
you  need  to  keep  around  for  a  set  period  of  time,  for  regulatory,  legal 
or  business  reasons.  Records  encompass  both  structured  informa¬ 
tion,  such  as  financial  transactions  stored  in  the  company’s  enterprise 
resource  planning  (ERP)  system,  and  unstructured  information,  such 
as  financial  spreadsheets  exchanged  by  email  that  might  eventu¬ 
ally  feed  into  the  ERP  system  (orjustsiton  someone’s  computer 
indefinitely). 

8...THENSETACLEARTIME  LINE  FOR  THE 
DESTRUCTION  OF  UNNEEDED  RECORDS... 

This  will  vary  by  type  of  information  and  the  regulations  to  which  it  is 
subject.  Your  legal  and  compliance  function  will  be  a  handy  ally.  “For 
a  Fortune  50  company  with  20  lines  of  business,  you  may  have  50  or 
60  different  laws  that  apply  to  document  retention,”  says  attorney  Ed 
McNicholas,  who  specializes  in  information  law.  He  refused  to  even 
hazard  a  guess  about  how  long  most  business  records  need  to  be  kept 
on  hand.  “You  have  to  start  with  an  accurate  survey  of  the  information 
that’s  in  the  organization,”  McNicholas  says. 

...ANDSEND  REMINDERS! 

At  American  Savings  Bank,  Kenneth  Newman  says  the  security 
group  sends  out  quarterly  email  reminders  about  certain  records 
that  need  to  be  destroyed.  “We  issue  a  reminder  that  if  you  have  these 
types  of  documents  in  any  format”-paper  or  electronic— “the  time 
has  come  to  arrange  for  their  destruction,”  says  Newman. 

www.csoonlme.com/article/220939 


T  f  %  Be  happy  when  you  tweet. 

JL  W  That  is  to  say,  definitely  don’t 
post  content  on  Twitter,  Facebook  or 
Linkedln  when  you’re  upset. 

“Posting  any  content  when  angry  is 
about  as  dangerous  as  sending  flaming 
emails,  if  not  more  so,”  says  Scott  Hayes, 
president  and  CEO  of  Database-Brothers. 
“Think  twice  about  clicking  ‘submit’ 
because  the  world  may  be  looking  at  your 
angry,  immature  rant  for  years.” 
www.csoonline.com/article/496314 

UBe  the  Chief  Self-Esteem  Officer. 

Remember  Stuart  Smalley,  the 
old  Saturday  Night  Live  therapist  who 
began  each  skit  with  his  daily  affirmation? 
Channel  him  in  your  thinking:  You’re  good 
enough,  you’re  smart  enough  and,  doggone 
it,  people  like  you.  Have  confidence  in  your 
judgment,  and  push  back  when  it’s  neces¬ 
sary.  We’ve  been  giving  CSOs  this  advice  for 
years,  and  we  still  believe  it  and  know  that, 
once  in  a  while,  you  need  to  hear  it. 
www.csoonline.com/article/218675 

Think  of  one  new  way  to  pass 
costs  back  to  business  units. 

Having  trouble  increasing  your  security 
budget?  Make  it  smaller  by  finding  ways  to 
pass  your  expenditures  back  to  the  busi¬ 
ness  units  that  are  benefiting  from  your 
group’s  efforts.  This  takes  some  legwork 
and  salesmanship,  but  it  can  quite  literally 
pay  for  itself. 

www.csoonline.com/article/218675 


Institute  a  dean-desk  policy. 

Offer  guidance  on  what  should  be 
locked  up  and  when.  Make  sure  employees 
know  that  it’s  not  acceptable  to  keep  sensi¬ 
tive  papers  out  overnight. 

www.csoonline.com/article/219055 

www.csoonline.com/article/529764 


20  www.csoonline.com  December  2011/January  2012 


Photo  by  Stoyan  Nenov/Reuters 


Copyright  ©2011  Hewlett-Packard  Development  Company,  L.P. 


For  more  information  go  to 
www.hpenterprisesecurity.com 


Advanced  protection 
against  advanced  threats 


CAN  YOU  SEE 
EVERYWHERE 

AT  ONCE? 
YOU  CAN. 


You  can't  stop  threats  if  you  can't  spot  them.  That' 
why  HP  Enterprise  Security  offers  proven  solutions 
that  deliver  context-aware  visibility  into  security 
risk.  There's  no  better  way  to  proactively  detect 
security  issues  and  drive  situational  awareness 
across  your  applications,  operations,  and 
infrastructure.  The  HP  Security  Intelligence  and 
Risk  Management  platform  provides  integrated 
correlation,  application  protection  and 
network  defenses  that  can  secure  m 
IT  environments  from  sophisticated  threats 
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Brush  up  on  the  basics  of 
'  fr  accounting.  It  may  seem 
obvious,  but  it’s  important  to  have  a  good 
grasp  of  basic  accounting  principles.  This 
will  help  you  do  effective  training  and 
awareness  programs,  as  well  as  identify 
problems.  The  tenets  will  be  familiar  to 
you:  trust,  but  verify. 
www.csoonline.com/article/591654 

Simplify  your  PowerPoint 
Mb  ; :  f  slides.  Supporting  materials 
should  cover  the  highlights,  not  repeat 
your  entire  message  and  then  some.  Jerry 
Weissman,  the  corporate  presentation 
consultant  who  wrote  Presenting  to  Win: 
The  Art  of  Telling  Your  Story,  says  he  has 
also  seen  too  many  presentations  where 
the  legends  are  indecipherable,  the  grid 
lines  are  impossible  to  follow,  and  the 
numbers  aren’t  even  right -justified. 

“Any  one  of  these  violations  of  the 
depictions  of  the  numbers  is  a  distraction 
from  the  presenter  and  the  presenter’s 
message,”  Weissman  says. 
www.csoonline.com/article/219903 

Thinking  about  outsourcing 
security?  Think  long-term. 
Building  relationships  and  trust  takes 
time.  But  you  knew  that. 
www.csoonline.com/article/479097 

Consider  whether  you 
adequately  separate  the 
people  from  the  security.  Businesses 
are  made  up  of  people,  who  have  families, 
play  golf  (or  another  game)  and  cheer  for 
local  sports  teams,  says  Dan  Lohrmann, 
CTO  of  the  state  of  Michigan.  Remember¬ 
ing  this  will  help  you  separate  the  tough 
issue  you’re  addressing  from  the  person 
with  whom  you  disagree. 

“Remember  that  the  relationship  will 
usually  last  longer  than  the  current  chal¬ 
lenge,”  says  Lohrmann. 
www.csoonline.com/article/641819 

m  A  Memorize  the  37-word 
J.O  description  of  how  (in 
theory)  to  achieve  perfect  informa¬ 
tion  security.  There  are  exactly  two  keys 
to  information  security  or  information 
assurance,  according  to  Stephen  North- 
cutt,  president  of  The  SANS  Technology 
Institute:  “First,  configure  the  system  and 


Don’t  Lose 
Your  Head 

WHEN  PROTECTING 
INTELLECTUAL 
PROPERTY,  SWEAT 
THE  SMALL  STUFF 

It  doesn’t  take  one  large  IP 
breach  to  destroy  your  business; 
instead,  a  thousand  small  ones 
could  hinder  your  company’s 
ability  to  stay  competitive,  says  William  Boni,  vice  president  and 
CISO  of  Motorola  and  a  co-author  of  Netspionage:  The  Global  Threat 
to  Information.  “I  call  it  the  death  of  a  thousand  cuts.  Because  most 
organizations  don’t  have  a  means  of  tracking  the  loss  of  proprietary 
information,  they  go  on  constantly  hemorrhaging,  constantly  losing 
market  share.  Gradually  it  takes  the  vitality  out  of  the  organization 
because  it’s  hard  to  invent  and  create  things  faster  than  people  are 
leaking  it  or  stealing  it.” 

www.csoonline.com/article/218034 

FINE-TUNE  YOUR  PROTECTION  OF  TRADE  SECRETS 

Employees  usually  know  that  trade  secrets  are  valuable, 
and  stealingthem  is  illegal  under  the  1996  Economic  Espionage  Act. 
What’s  more  complicated  is  helping  employees  understand  how 
seemingly  innocuous  details  can  be  strung  together  into  a  bigger 
picture  that  could  be  advantageous  to  your  competitors. 

www.csooniine.com/article/218034 


network  correctly  and  keep  it  that  way. 
Because  this  is  impossible  to  do  perfectly, 
the  second  key  to  information  assurance 
is  to  know  the  traffic  coming  into  and  out 
of  your  network.”  Recite  five  times  in  the 
shower.  See,  now  isn’t  that  simpler  than 
you  thought? 

www.csoonline.com/article/342820 

Clearly  identify  your  starting 
point.  It  might  seem  obvious, 
but  before  you  decide  to  undertake  a 
project,  do  whatever  you  can  to  establish  a 
baseline.  It’s  like  knowing  how  much  you 
can  bench  press  on  your  first  day  at  the 
gym  so  you  can  quantify  how  much  you’ve 
improved. 

www.csoonline.com/article/219903 

Look  for  hard  numbers. 

Business  people  love  metrics. 
Numbers  can  help  you  communicate  and 


quantify  the  investment  your  organization 
is  making  in  security.  Be  ready  to  share 
whatever  numbers  will  help  prove  the 
value  of  the  security  organization,  even 
if  it’s  something  simple  like  the  number 
of  desktop  computers  your  team  has 
scrubbed  of  viruses. 
www.csoonline.com/article/219904 

Organizing  a  team?  Mix 

experienced  staff  with  younger 
employees.  They  can  benefit  from  one 
another’s  perspectives. 

www.csoonline.com/articie/218675 

Automate  your  patching 
processes.  Rote  tasks  can  zap 
your  organization’s  time  and  funding.  Set 
up  systems  to  handle  the  software  and  OS 
updates,  and  save  your  staff  for  tasks  that 
require  more  expertise. 
www.c5oonline.com/article/2l8675 
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Julian  Lovelock 

VICE  PRESIDENT  OF  PRODUCT 
MARKETING,  ACTIVIDENTITY 

Mr.  Julian  Lovelock  is 
vice  President  of  Product 
Marketing  of  Activldentity, 
and  is  responsible  for 
defining  and  bringing  to 
market  products  across 
the  Identity  Assurance 
portfolio.  Mr.  Lovelock  is 
based  in  Fremont  California, 
having  relocated  from 
London  in  2006.  He  joined 
Activldentity  in  2005  as  part 
of  the  acquisition  of  ASPACE 
Solutions  where  he  was 
CTO  and  co-founder.  Since 
joining  Activldentity  he  has 
held  a  number  of  positions 
in  Product  Management  as 
well  as  market  responsibility 
for  Activldentity's  security 
solutions  for  online  banking. 
He  holds  a  BENG  in  Electrical 
and  Electronic  Engineering 
from  the  University  of 
Aston,  UK. 


FOR  MORE  INFORMATION: 

visit  us  at  www.actividentity.com/ 
solutions/enterprisesolutions/ 


CSO 

Custom  Solutions  Group 

ACTIv(ji)ENTITY* 

part  of  HID  Global 


Layered  Defense: 

A  Strategic  Investment 


Julian  Lovelock  of  Activldentity  discusses 
why  security  breaches  are  on  the  rise,  how 
enterprises  can  protect  themselves  against 
attacks,  and  what  he  foresees  for  the  future  of 
enterprise  security. 

Security  breaches  are  on  the  rise  world¬ 
wide.  Why  is  it  that  we  are  seeing  such  a 
substantial  increase?  And  why  now? 

It’s  a  question  of  supply  and  demand.  Several 
significant  factors  are  converging  to  lower 
the  barrier  to  entry  for  would-be  attackers. 
Increased  sharing  on  social  networking  sites 
makes  it  easier  to  launch  social  engineering 
attacks.  Information  on  howto  launch  attacks, 
including  starter  kits  for  building  effective 
customized  malware,  is  readily  available  on¬ 
line.  Meanwhile,  more  people  want  to  launch 
attacks,  for  reasons  that  may  be  financial  or 
political—  or  just  malevolent  mischief.  The 
business  impact  includes  irreparably  damag¬ 
ing  the  organization’s  reputation,  such  as  in  a 
banking  relationship  based  on  trust;  stealing 
credit  card  data  for  financial  gain;  gaining 
access  to  intellectual  property;  or  gaining  a 
competitive  advantage. 

Do  these  attacks  follow  any  pattern? 

Yes.  The  attacks  may  vary,  but  there  is  a  com¬ 
mon  pattern.  Typically  there  are  three  steps. 
First  the  attacker  creates  a  genuine-looking 
e-mail  containing  customized  malware.  Using 
information  gleaned  from  a  social  network¬ 
ing  site,  the  attacker  can  penetrate  perimeter 
defenses  and  get  onto  the  network.  Then  the 
attacker  moves  across  the  network,  jump¬ 
ing  from  computer  to  computer  and  gaining 
access  to  critical  data.  Finally  the  attacker 
extracts  the  data  from  the  enterprise. 

How  can  enterprises  best  invest  their  re¬ 
sources  to  defend  against  such  attacks? 

It's  tempting  to  invest  all  your  resources  in 
protecting  the  perimeter,  but  it’s  not  the  wisest 
strategy.  No  perimeter  defense  is  loo  percent 
effective.  A  far  better  return  on  your  invest¬ 
ment  is  a  layered  defense  strategy  that  defends 
against  all  three  steps.  The  investment  strategy 
should  stop  the  attack  at  each  step  and  prevent 
the  attacker  from  moving  across  the  network 
to  steal  information. 


Can  you  give  an  example? 

Many  companies  invest  heavily  in  expensive 
one-time  password  (OTP)  tokens  for  perime¬ 
ter  defenses,  primarily  for  VPNs.  Attackers  can 
bypass  these  defenses  and  gain  entrance  to  the 
internal  network  through  malware  embedded 
in  e-mails,  and  then  all  they  have  to  do  is  crack 
static  passwords.  A  layered  defense  is  a  better 
investment:  Replace  hardware  OTP  tokens 
with  cost-effective  “software  tokens”  that  can 
be  provisioned  to  mobile  phones,  and  issue 
smart  cards  to  privileged  users  to  protect  ac¬ 
cess  to  critical  servers  and  admin  accounts. 

What  role  does  Activldentity  play  in  helping 
enterprises  implement  a  layered  defense? 

We  provide  identity  assurance  solutions 
that  enable  enterprises  to  implement  strong 
authentication  for  both  the  perimeter  and 
sensitive  system  resources  on  the  internal 
network,  decreasing  IT  costs  and  credential 
management  complexities.  Think  of  us  as  the 
identity  protector,  the  partner  that  enables 
you  to  proof  and  trust  users  on  your  network. 

What  do  you  see  as  the  biggest  future 
challenge  in  this  area? 

The  trend  of  allowing  employees  to  connect 
personal  devices  such  as  mobile  phones  and 
tablets  to  the  corporate  network  is  growing. 
This  consumerization  obviously  introduces 
many  challenges,  including  a  largely  unpo¬ 
liced  route  allowing  attackers  to  penetrate  the 
corporate  network  with  malware. 

Looking  ahead,  what  do  you  see  as  key  in¬ 
novations  in  protecting  enterprises  against 
such  attacks? 

The  use  of  device  forensics  and  adaptive 
authentication  technologies  has  already  been 
proven  in  the  banking  industry  and  shows  sig¬ 
nificant  potential  for  various  markets.  I  believe 
that  the  corporate  sector  will  start  to  benefit 
from  the  R&D  and  standards  work  driven  by 
government  investment  in  smart  cards  over 
the  last  10  years.  I  also  think  the  convergence 
between  physical  and  logical  security  offers 
an  opportunity  for  organizations  to  better 
leverage  existing  investments  in  security  solu¬ 
tions,  such  as  smart  cards  issued  to  authorized 
employees,  to  further  improve  security. 
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At  overnight  events,  provide 
a  safe  place  for  employees 
to  leave  their  laptops.  Bonus  points 
if  you  send  out  a  letter  before  the  event 
reminding  attendees  to  leave  their  laptops 
in  the  designated  area  rather  than  in  their 
hotel  rooms— assuming  they  need  to  bring 
their  laptops  at  all.  This  letter  should  be 
signed  by  the  senior-most  person  attend¬ 
ing  the  event. 

www.csoonline.com/article/Z20282 

Share  your  knowledge.  To  be 

mm  “  V  recognized  as  a  leader  at  your 
business,  don’t  hoard  knowledge,  says 
Michigan  CTO  Dan  Lohrmann.  Instead, 
freely  give  it  away. 

www.csoonline.com/article/641819 

Remember:  Processes  are 
cheaper  than  technologies. 

Instead  of  hiring  guards  and  putting  in 
an  expensive  card-based  access-control 
program,  try  locking  a  door  or  putting 
up  a  wall.  Training  employees  to  be  more 
aware  of  security  risks  is  cost-effective— 
especially  if  you  work  with  HR  to  put 
in  penalties  for  the  petty  but  pernicious 
offenses  of  letting  unauthorized  people 
through  access-controlled  doors  or  prop¬ 
ping  a  door  open  with  a  trash  can. 
www.csoonline.com/articie/218675 

MNeed  a  social  media  security 
policy?  Make  the  most  of  what 
you  have.  The  communication  landscape 
is  so  dynamic  that  if  you  create  a  policy 
specific  to  today’s  technology,  tomorrow 
it  may  be  obsolete.  (If  you  see  a  policy 
that  contains  more  than  one  reference 
to  MySpace,  you  know  what  we  mean.) 
Instead,  says  Jack  Phillips,  IANS  co¬ 
founder  and  CEO,  try  to  draw  attention  to 
existing  policies  in  a  way  that’s  relevant  to 
new  trends.  Many  social  media  platforms 
come  and  go,  but  some  will  become  com¬ 
monplace  and  integral  to  an  enterprise,  at 
which  point  it  may  become  necessary  for 
policies  to  be  more  specific. 
www.csoonline.com/article/529764 
www.csoonline.com/articie/505593 

Make  security  policies 
only  as  strict  as  necessary. 

You  can  do  this  by  really  knowing  and 
understanding  the  business.  Overly 


restrictive  policies  can  backfire.  “When 
this  is  the  case,  users  will  come  up  with 
workarounds  that  could  be  worse  than 
the  problem  you  are  trying  to  prevent  in 
the  first  place,”  says  Ken  Smith,  a  security 
solutions  architect  at  Forsythe  Technology. 
www.csoonline.com/article/470095 

Mwhen  evaluating  network 
solutions,  assess  value, 
not  cost.  The  cheapest  or  most  conven¬ 
tional  approach  might  privde  only  modest 
management  gains,  says  Brian  Neely,  CIO 
of  American  Systems,  a  consultancy  and 
IT  management  firm.  Use  everything  at 
your  disposal  to  measure  the  full  value  of 
the  product  or  service  you  are  considering. 
www.csoonline.com/article/507764 


Practice  thinking  like  a  spy. 

What  information  do  you  want 
to  keep  from  your  competitors?  If  you 
worked  for  a  competitor,  what  devious 
tricks  might  you  use  to  find  out  this 
information?  Don’t  be  afraid  to  get  creative 
as  you  brainstorm,  and  then  look  for  the 
most  basic  vulnerabilities  that  might  lead 
your  competitor  to  this  information. 
www.csoonline.com/article/2l8034 

Transform  desktop  support 
into  security  marketing. 

Did  somebody  step  into  the  workspace 
of  one  of  your  staffers  because  they 
needed  a  simple  password  reset  or  a  virus 
update?  Use  it  as  a  chance  to  raise  security 
awareness.  Hang  up  a  poster  educating 
employees  about  common  phishing  ploys, 
or  send  them  off  with  written  instructions 
about  choosing  a  secure  password.  Every 
interaction  can  be  a  teachable  moment. 
www.csoonline.com/article/2l9904 


Be  mindful  of  every  interac- 
■  1  n ,  tion  with  recruiters.  A  key 

difference  between  a  ho-hum  CSO  candi¬ 
date  and  a  top-notch  one  is  great  commu¬ 
nication  skills.  Responding  to  a  question 
with  a  four-  or  five-word  incomplete 
sentence  may  take  you  out  of  the  running. 
www.c50online.com/article/220903 

MSee  if  the  marketing  depart* 
ment  is  interested  in  the 
new  video  surveillance  system.  Not 

only  will  you  be  more  likely  to  get  the 
funding  you  need,  but  you  will  also  do  a 
good  turn  for  the  business. 

“Marketers  can  do  things,  like  people 
counting,”  says  Charles  Foley,  CEO  of 
TimeSight  Systems,  a  video  surveil¬ 
lance  vendor.  “They  can  analyze  how 
many  people  were  clustered  around  that 
end-cap  display  and  how  long  they  were 
there.” 

That  kind  of  data  can  help  marketers 
optimize  the  business,  which  could  be  a 
huge  benefit. 

www.csoonline.com/article/479097 

Set  up  a  fraud  hotline.  Give 
employees  a  way  to  anony¬ 
mously  report  violations  of  company 
policies.  Not  only  will  the  fraud  depart¬ 
ment  learn  about  problems  that  might 
otherwise  have  gone  undetected,  but  also 
a  hotline  is  also  a  surprisingly  simple  way 
to  deter  fraud. 

www.csoonline.com/article/2207O4 

But  don’t  rely  too  heav* 

*mP  iyi  ily  on  tipsters.  Historically, 
most  fraud  was  reported  via  a  tip,  says 
Brad  McFarland,  director  of  corporate 
security  with  the  South  Financial  Group,  a 
financial  services  holding  company.  Today, 
however,  it’s  important  that  companies 
implement  data  analysis  as  well.  Strong 
data,  analyzed  in  tandem  with  knowledge 
of  potential  criminal  schemes,  can  help 
organizations  mitigate  their  risk  of  fraud. 
www.csoonline.com/article/591654 

K.I.S.S.:  “Keep  it  simple,  stupid” 
«SP  m  (or  “keep  it  simple  in  security”). 
The  more  complicated  your  network  gets, 
the  harder  it  is  to  track  where  sensitive 
information  is  going,  which  makes  it  even 
more  difficult  to  secure. 
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|  Keep  work  for  work  and  play 
“W1  for  play.  When  using  social 
media,  know  your  objectives.  “I  can’t  tell 
you  how  many  times  I  have  been  invited 
to  Facebook  by  a  work  colleague  only  to 
find  things  on  their  wall  or  profile  that 
are  definitely  not  politically  correct  or 
are  downright  offensive,”  says  Benjamin 
Fellows,  a  senior  IT  security  and  risk  con¬ 
sultant  at  Ernst  and  Young.  “I  keep  all  my 
work  friends  in  Linkedln  and  my  personal 
friends  in  Facebook.  Even  then,  I  am  very 
careful  what  I  say  on  either  site.  I  guess 
you  could  also  put  this  under  the  heading 
of ‘Know  Your  Audience.’” 


Build  Security  In 


GETSECURITY  INVOLVED  IN  THE  EARLY 
STAGES  OF  PLANNING  ANY  NEW  FACILITY 


Tim  Giles  says  failure  to  follow  this  simple  dictum  is  a  common  mis¬ 
take.  While  ground-level  lighting  and  hidden  cameras  may  be  more 
pleasing  to  the  eye,  neither  are  good  for  security.  Giles,  a  security  con¬ 
sultant  and  author  of  How  to  Develop  and  Implement  a  Security  Master 
Plan,  who  was  once  in  charge  of  all  IBM  security  operations  for  the 
United  States  and  Canada,  says  he  once  worked  in  a  building  where 
the  architect  had  designed  all  the  cameras  to  be  out  of  sight. 

“But  someone  seeing  the  camera  is  50  percent  of  the  value  because 
it’s  a  deterrent,”  notes  Giles.  “When  people  know  they  are  on  camera, 
they  are  much  less  likely  to  do  something  wrong.” 

www.csoonline.com/article/501467 


www.csoonline.com/article/496314 


If  *11  Have  redundant  utilities 
■Hi  for  your  data  centers.  Data 
centers  need  two  sources  for  utilities  such 
as  electricity,  water,  voice  and  data.  Trace 
electricity  sources  back  to  two  separate 
substations  and  water  back  to  two  differ¬ 
ent  main  lines.  Lines  should  be  under¬ 
ground  and  should  enter  the  building  in 
different  areas,  with  water  separate  from 
other  utilities.  Use  the  data  center’s  antici- 


Mplan  for  secure  air  handling  in  data  centers 

Make  sure  the  heating,  ventilating  and  air-conditioning  sys¬ 
tems  can  be  set  to  recirculate  air  rather  than  drawing  air  in  from  the 
outside.  This  could  help  protect  people  and  equipment  if  there’s  some 
kind  of  biological  or  chemical  attack  or  heavy  smoke  spreading  from  a 
nearby  fire.  For  added  security,  put  devices  in  place  to  monitor  the  air 
for  chemical,  biological  or  radiological  contaminants. 

www.csooniine.com/article/220665 


USE  LANDSCAPING  TO  AUGMENT 
FACILITIES  PROTECTION 


Trees,  boulders  and  gullies  can  hide  the  building  from  passing  cars, 
obscure  security  devices  (such  as  fences),  and  help  keep  vehicles  and 
trespassers  from  getting  too  close.  Oh,  and  they  look  nice  too.  Check 
out  thorny  but  attractive  varieties  of  trees  and  shrubs  such  as  haw- 
thorne,  hardy  orange,  black  locust,  pyracantha,  and  barberry. 


pated  power  usage  as  leverage  for  getting 
the  electric  company  to  accommodate  the 
building’s  special  needs. 
www.csoonline.com/article/220665 


Learn  to  say  “Yes,  but...” 

Security  practitioners  get  a 
reputation  for  being  no-guys.  Instead,  try 
to  offer  a  solution  for  whatever  plan  the 
business  has  come  up  with.  If  they  don’t 
like  how  the  plan  looks  once  security  has 
been  factored  in,  perhaps  they’ll  come  up 
with  another  plan. 
www.csooniine.com/article/219569 


|  Learn  to  say  “Yes,  and...” 

“li6  Consultant  Michael  Santar- 

cangelo  notes  this  is  standard  practice  in 
improvisational  comedy,  and  it’s  a  valu¬ 
able  technique  for  corporate  teamwork. 
Don’t  shoot  down  ideas;  develop  a  habit  of 
affirming  and  improving  instead. 
www.csoonline.com/article/6S7570 


www.csoonline.com/article/220665 


Remember  what  Web 
browsers  are  designed  for. 


www.csoonline.com/article/221247 


Browsers  are  meant  to  make  information 


exchange  simple,  not  safe.  Until  security 
becomes  the  most  important  priority  for 
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Web  browsing  software  (probably  never), 
problems  will  persist.  SANS  President 
Stephen  Northcutt  says  this  is  especially 
true  with  the  new  Web  2.0  interfaces  that 
use  extensions  to  AJAX,  a  programming 
language  supported  by  Web  browsers. 
These  extensions  deliver  enhanced  func¬ 
tionality,  but  at  the  cost  of  increasing  risk. 
www.csoonline.com/article/342820 


When  brainstorming 
“W  O  risks,  don’t  worry  about 
precision.  You’re  looking  for  any  event  or 
scenario  that  could  create  a  risk  in  what¬ 
ever  area  your  group  is  focusing  on.  Rank 
risks  loosely  by  likelihood  and  impact  and 
then  turn  the  focus  to  solutions. 
www.csoonline.com/article/610063 


JU  Going  global?  Remember  that 

""W  &  people  in  other  counties  and 
cultures  have  vastly  different  ideas  about 
ethical  business  practices.  Fuld  and  Co., 
an  intelligence  consultancy,  once  did  a 
scruples  survey  asking  122  competitive 
intelligence  professionals  whether  it  was 
normal,  aggressive,  unethical  or  illegal  to 
take  off  your  badge  before  approaching 
a  competitor  at  a  trade  show.  In  North 
America,  34  percent  of  respondents 
considered  this  behavior  aggressive,  and 
50  percent  found  it  unethical.  In  Europe, 
however,  56  percent  of  respondents  said 
this  was  normal  behavior. 
www.csoonline.com/article/218034 


Ml  A  Use  education  to  prevent 
"w  Cl  and  detect  fraud.  Fraud 
is  most  likely  to  involve  employees  in 
accounts  payable  or  purchasing,  or  any 
employee  who  submits  expense  reports, 
says  Mike  Osborne,  senior  security  man¬ 
ager  at  Kimberly-Clark.  It’s  crucial  to  train 
all  staff— giving  special  attention  to  people 
who  work  in  these  areas— on  company 


policies,  procedures  and  codes  of  conduct. 

www.csoonline.com/article/220704 

Build  teams  to  assess  risk 
"TT  '  W  in  targeted  areas.  If  you’re 
evaluating  risks  to  internal  investiga¬ 
tions,  for  instance,  your  working  group 
might  include  a  representative  from  every 
department  that  plays  a  role  in  internal 
investigations,  including  human  resources, 
corporate  security,  information  security, 
facilities,  finance  and  legal.  If  you’re  evalu¬ 
ating  risk  to  brand  protection,  though,  it’s 
more  important  to  include  marketing  and 
perhaps  less  important  to  include  facilities. 
www.csoonline.com/article/610063 

:  g  g.  Don’t  cry  wolf.  Declare  an 
idf  ®  w  emergency  only  rarely— like,  you 
know,  when  there’s  an  actual  emergency. 
www.csoonline.com/article/641819 

Double-check  that  your 

organization  is  keeping  its 
original  logs.  If  records  are  requested 
from  your  organization,  the  requesting 
entity  will  most  likely  be  using  completely 
different  technology  from  yours.  For  that 
reason,  it’s  important  to  keep  copies  of 
your  original  logs  in  their  native,  unaltered 
state,  writes  David  Torre,  an  experienced 
security  professional  and  CTO  of  Atomic 
Fission.  If  that’s  not  possible,  then  at  the 
very  least  logs  should  be  easily  exportable 
to  a  standardized  format  without  loss  of 
important  information. 
www.csoonline.com/article/626296 

Resist  the  urge  to  inves- 
i  tigate  everything  in  sight. 

Creating  a  security-minded  organization 
is  a  process  not  unlike  raising  teenagers, 
says  Corey  Thomas,  vice  president  of 
marketing  and  product  management  for 
consultancy  Rapid7.  You  want  to  establish 
a  dialog  so  employees  will  make  the  right 
choice  when  the  time  comes.  “Aim  for 
progress,  not  perfection,”  he  says. 
www.csoonline.com/article/479097 


P  When  evaluating  firewalls, 
put  them  to  the  test.  This  is 
one  great  thing  about  choosing  a  firewall. 
“Pick  two  or  three  of  your  favorites  and  bake 
them  off  in  real-world  situations,”  says 
John  Kindervag,  senior  analyst  at  Forrester 


Research.  “You  can  test  them  on  a  live- 
production  environment  because  they’re 
passive  tools.”  See  how  well  they  do  at  find¬ 
ing  unused  rules,  optimizing  configura¬ 
tions,  and  so  on,  then  compare  the  reports. 
www.csoonline.com/article/593X5l 


M  Articulate  your  career 

results.  Recruiters  and  other 
gatekeepers  in  the  hiring  process  want 
to  know  what  kinds  of  results  you  have 
achieved,  so  be  prepared  to  explain  them 
in  a  succinct  way.  “The  best  way  [for  job 
candidates]  to  differentiate  themselves 
is  to  be  able  to  describe  a  situation,  the 
action  they  took  and  the  results  that  were 
accomplished  in  a  way  that  displays 
an  overall  understanding  of  risk,”  says 
Joyce  Brocaglia,  founder  and  CEO  of  Alta 
Associates.  “I  don’t  care  about  how  many 
nodes  and  this  and  that.  Did  they  display 
an  understanding  of  the  problems  or  risks 
before  they  implemented  a  solution?  Did 
they  tailor  the  solution  to  meet  the  risk 
appetite  of  the  business?” 


Know  the  three  processes 
of  information  security.  Not 

only  can  SANS’s  Stephen  Northcutt  suc¬ 
cinctly  describe  the  keys  to  information 
security,  he  can  also  break  it  down  into 
three  basic  processes,  which  is  useful  for 
explaining  things  to  even  the  most  busi¬ 
ness-minded  project  manager.  Step  one  is 
protection,  where  we  configure  our  sys¬ 
tems  and  networks  as  correctly  as  possible. 
Step  two  is  detection,  where  we  identify 
that  the  configuration  has  changed  or  that 
some  network  traffic  indicates  a  problem. 
Finally,  step  three  is  reaction,  when,  after 
quickly  identifying  any  problems,  we 
respond  to  them  and  return  to  a  safe  state 
as  rapidly  as  possible. 

Any  security  process  fits  into  one  of 
these  three  categories.  Really,  it  does. 
www.csoonline.com/article/342820 


!■  gr  Use  social  media  policies  to 
li  your  advantage.  When  adapt¬ 
ing  to  comply  with  new  regulations,  savvy 
security  teams  can  create  new  policies  and 
explain  their  importance  to  employees. 
Security  should  be  able  to  do  the  same 
for  social  media  policies.  “This  issue  is  an 
opportunity  for  infosec  leaders  to  refocus 
attention  on  information  security  and  risk 
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From  patented  key  systems  to  full-featured,  online  integrated  locksets,  ASSA  ABLOY  offers  access 
control  solutions  tailored  to  the  unique  locking  needs  of  each  opening.  With  the  industry's  largest 
range  of  products,  from  the  most  trusted  brands,  your  security  dollars  reach  farther  into  your  facility. 

Contact  your  ASSA  ABLOY  Integrated  Solutions  Specialist  for  a  consultation  on  your  next  project. 

Visit  www.intelligentopenings.com/SecurityContinuum. 


ASSA  ABLOY 


Using  your  mobile  phone, 
scon  this  Microsoft ®  Tag. 
Download  the  free  mobile 
app  at  http://gettag.mobi 
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urn  great  ideas 


Choose  Your Speed 


gMjp  irs  OK  TO  BE  A  FAST  FOLLOWER... 

Let  other  companies  work  out  the  kinks  in  new  security  tech¬ 
nologies,  then  benefit  from  their  successes  and  failures.  It  may  sound 
dull  compared  to  testing  out  the  latest  and  greatest,  but  it’s  a  whole 
lot  easier  to  justify  to  the  board. 

www.csooniine.coin/article/2lS675 


M ...BUT THEN  AGAIN, THE  FIELD  NEEDS  LEADERS! 

Cutting  edge  strategies  can  help  close  the  gap  with  attackers. 
And  it  may  help  you  stay  interested  in  your  work  and  retain  your  most 
creative  staffers. 

www.csoonline.com/article/6S99i4 


management,”  says  Jack  Phillips,  IANS 
co-founder  and  CEO. 

You  might  even  be  able  to  use  social 
media  to  raise  security  awareness.  People 
are  paying  attention  to  social  media,  so  use 
that  to  your  advantage. 
www.csoonline.com/article/505593 

Look  for  ways  to  do  incident 
response  remotely.  Not  only 
does  avoiding  travel  save  money,  but  it  also 
reduces  your  company’s  carbon  footprint. 
www.csoonline.com/article/410513 


Give  employees  the  tools 
to  secure  their  desks.  Make 
sure  employees  have  locking  desks,  filing 
cabinets,  offices  and  laptop  docking  sta¬ 
tions.  Face  whiteboards  away  from  the 
windows,  not  toward  them.  Install  blinds. 
Provide  paper  shredders.  Employees  have 
the  keys  to  security,  literally. 
www.csoonline.com/article/219055 

Stress-test  your  network. 

Service  provider  and  enterprise 
networks  are  performance-challenged. 


called  on  to  support  enormous  high-speed 
traffic  loads.  That  traffic  is  increasingly 
complex,  comprising  a  growing  array 
of  protocols  and  applications  support¬ 
ing  converged  IP  services— voice,  video, 
data— and  performance-sensitive  online 
transactions.  Throw  in  plenty  of  mali¬ 
cious-attack  traffic  and  see  how  networks, 
network  devices  and  network-based  secu¬ 
rity  products,  from  firewalls  to  intrusion- 
prevention  systems,  perform  under  stress. 

BreakingPoint  Systems,  Ixia,  Mu 
Dynamics  and  Spirent  Communications 
all  make  tools  that  can  be  used  to  test 
networking  and  security'  gear  and  the 
applications  they  support  to  the  limit. 
www.csoonline.com/article/599739 

At  a  sensitive  offsite  meet¬ 
ing,  keep  signage  simple.  No 

need  to  hang  up  a  sign  that  says  “Strategic 
Planning  for  Acme  Corp.”  Instead,  why 
not  just  hang  up  a  sign  that  says  “Private 
Meeting”? 

www.csoonline.com/article/220282 

Think  partnerships,  not 
dictatorships.  Even  the  Secret 
Service,  when  planning  for  national 
security  events,  tries  to  enlist  people  as 
participants  in  their  security  efforts. 

“We  can’t  show  up  and  say,  Here’s  what 
we’re  going  to  do,”  says  Agent  Scott  Sheafe, 
who  helped  lead  security  efforts  for  the 
2004  Democratic  National  Convention.  “It 
has  to  be  a  partnership.” 
www.csoonline.com/article/219569 

Let  employees  know 
they’re  accountable  for 
their  actions.  When  employees  realize 
the  company  will  take  a  hard  line  against 
fraudsters,  they’ll  think  twice  about 
committing  a  felonious  act,  says  Mike 
Osborne,  senior  security  manager  at 
Kimberly-Clark. 

“I  have  seen  companies  publish  a 
quarterly  newsletter  containing  articles 
about  dishonest  acts  perpetrated  against 
the  company,  travel  security  advice  and 
safety  measures,”  he  says.  “The  important 
item  within  these  stories  regarding  fraud 
was  the  disposition  of  the  case  so  the  read¬ 
ers  would  know  the  company’s  stance  on 
these  issues.” 

www.csoonline.com/article/220704 
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Personal  technology  is  changing  the  enterprise. 


More  and  more  employees  are  accessing  core  business 
applications  and  data  usingtheirown  devices— from 
smartphones  to  tablets  to  cloud  services.  Consumerization 
of  corporate  IT  is  a  trend  you  can’t  ignore. 

Join  us  at  CITE  [consumerization  of  IT  in  the  enterprise] 
Conference  and  Expo  and  learn  how  you  can  unleash 
employee  productivity  while  mitigating  risk  and 
safeguarding  enterprise  security. 


when  +  where 

march  4-6,  2012 
san  francisco 
California 

explore  +  register 

citeconference.com/PA 
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#  |  Look  for  the  sweet  spot 
*  I  in  access  control.  George 
Johnson,  CSO  at  the  National  Center  for 
Crisis  and  Continuity  Coordination,  says  IT 
shops  often  assign  everyone  administrative 
access  to  reduce  the  workload  that  tighter 
controls  can  create.  This,  he  says,  is  a  recipe 
for  a  massive  compromise.  But  the  opposite 
practice  of  allowing  only  executives  admin¬ 
istrative  access  while  locking  everyone  else 
out  is  fraught  with  danger  as  well,  because 
you  end  up  putting  too  much  control  into 
one  person’s  hands.  Aim  for  the  sweet  spot 
in  between  these  extremes. 
www.csoonline.com/article/470095 


Understand  that  sloppiness 
iJPi  W  hurts  your  company  more 
than  thieves  do.  “Sure,  there  are  people 
out  there  who  want  to  take  your  informa¬ 
tion,”  says  Leonard  Fuld,  owner  of  Fuld 
and  Co.,  an  intelligence  consultancy.  “But 
more  often  than  not,  your  own  company 
is  doing  damage  to  itself  by  not  being 
tight  about  how  it  controls  information.” 
That  laxity  is  what  allows  his  company  to 
gather  competitive  intelligence— both  for 
companies  that  want  to  keep  tabs  on  rivals 
and  those  that  want  to  identify  their  own 
leaks. 

www.csoonline.com/article/218034 


Get  involved  in  event 
*  9  planning  before  the  loca¬ 
tion  is  chosen.  Some  sites  offer  more 
security  challenges  than  others.  If  you  can 
offer  advice  early  in  the  planning  process, 


you  might  save  event  planners  a  lot  of 
expenses— and  save  your  department  a  lot 
of  headaches. 

www.csooniine.com/article/219569 

When  giving  a  presenta¬ 
tion,  don’t  blend  into  the 
background.  When  you’re  watching 
the  evening  news,  do  you  watch  the 
newscaster,  or  the  screen  behind  him  or 
her?  You  look  at  the  newscaster,  of  course, 
and  the  screen  behind  them  just  gives  a 
few  highlights.  Be  sure  you’re  using  any 
visual  aids  as  a  backup  and  not  the  main 
attraction. 

www.csooniine.com/article/219903 

Double-check  your  inter¬ 
net  policies  while  looking 
through  a  business  lens.  “If  you  work 
at  the  Department  of  Defense,  I  don’t  think 
any  time  at  a  social  networking  site  on  a 
secure  computer  is  acceptable.  But  if  you 
work  in  a  marketing  department,  15  min¬ 
utes  a  day  isn’t  nearly  enough,”  says  Dave 
Torre,  founder  and  CTO  of  IT  consultancy 
Atomic  Fission. 

“Obviously  you  have  to  use  some  com¬ 
mon  sense  as  a  manager  and  say,  ‘What 
does  our  organization  look  like  and  how 
important  are  these  tools  on  the  Internet 
for  our  users?”’ 

www.csoonline.com/article/602925 

Random  tip,  because  you 
just  never  know:  When 
negotiating  with  a  kidnapper,  never 
confirm  the  hostage  is  alive  by 
asking  about  her  childhood  stuffed 
animals.  Questions  along  those  lines  are 
a  signature  of  law  enforcement  in  the  kid¬ 
napping  world,  says  Chris  Voss  of  Black 
Swan  Group.  “When  a  family  starts  ask¬ 
ing  a  question  of  that  type,  there’s  a  pretty 
good  chance  that  they’re  being  coached  by 
the  cops,  which  makes  kidnappers  very 
nervous.” 

www.csoonline.com/article/595563 

This  afternoon,  reach  out 
to  someone  outside  your 
company.  Talk  with  peer  institutions 
and  law  enforcement.  Perpetrators  are 
operating  in  multiple  geographies  and 
with  multiple  institutions. 

“If  we  want  to  prosecute  fraudsters 


effectively,  it’s  important  to  have  dialogue 
with  others  to  try  to  get  the  full  picture,” 
says  Brad  McFarland  of  the  South  Finan¬ 
cial  Group. 

www.csoonline.com/article/591654 

Think  of  one  new  way  to 
C  get  the  fraud  and  security 
departments  together.  Brad  McFar¬ 
land,  director  of  corporate  security  with 
the  South  Financial  Group,  says  the  line 
between  the  departments  is  increasingly 
blurred,  especially  in  financial  services. 
www.csoonline.com/article/591654 

Ask  an  open-ended  question 
at  your  next  meeting. 

Whether  you’re  negotiating  with  a  poten¬ 
tial  business  partner  or  a  kidnapper,  try  to 
draw  out  the  real  issues  by  asking  ques¬ 
tions  that  can’t  be  answered  in  just  a  word 
or  two.  “An  open-ended  question  forces 
the  other  side  to  take  an  honest  look  at  you 
and  answer  your  question,”  says  Chris 
Voss  of  the  Black  Swan  Group. 
www.csoonline.com/article/595563 

Speak  the  language  of 
whatever  tribe  you’re 
addressing.  Every  culture  has  its  own 
lexicon  and  jargon.  To  be  an  effective  com¬ 
municator,  said  the  late  Robert  Garigue, 
CISO  of  the  Bank  of  Montreal,  “you  have 
to  use  examples  from  the  tribal  culture 
that  you  want  to  influence,”  including  the 
tribes  that  co-exist  within  any  large  orga¬ 
nization.  Strive  to  use  metaphors  that  will 
help  your  audience  understand  how  and 
why  they  can  help  improve  the  security  of 
your  organization. 
www.csoonline.com/article/2l9904 

in  any  crucial  area,  increase 
separation  of  duties.  Separa¬ 
tion  of  duties  is  a  common  policy  when 
people  are  handling  money.  With  separa¬ 
tion  of  duties,  fraud  requires  collusion  of 
two  or  more  parties,  which  greatly  reduces 
the  likelihood  of  crime.  Information 
should  be  handled  in  the  same  way,  since 
it  can  be  bought  and  sold  easily.  If  your 
system  administrators  claim  that  their 
duties  cannot  be  broken  up,  inform  them 
that  well-run  organizations  do  just  that, 
according  to  the  SANS  Institute. 
www.csoonline.com/article/342820 
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Join  Us  in  2012  for  THE  Premier 
Events  for  Security  Executives 


UP  NEXT 


cso 

PERSPECTIVES 


CSO  Perspectives  on  Mobile  Security 

Enabling  and  Securing  the  Mobile  Enterprise 

January  24,  2012 

The  Fairmont  San  Francisco 
San  Francisco,  CA 

REGISTER  TODAY! 

http://events.csoonline.com/MobileSF 

When  you  attend  the  CSO  Perspectives 
Seminar  on  Mobile  Security,  you  will: 

>  Learn  how  companies  are  dealing  with 
this  effectively 

>  Discover  what  strategies  and  techniques  major 
organizations  are  using  to  address  this 

>-  Identify  what  you  can  do  right  away  and  get 
answers  to  all  your  questions 

>  Network  with  peers  who  wrestle  with  similar 
issues  and  concerns 

CSO  Perspectives  on  CyberSecurity 

March  2012  ::  Washington,  D.C. 

CSO  Perspectives  on  Mobile  Security 

May  2012  ::  Chicago,  IL 

CSO  Perspectives  on  Cloud  Security 

June  2012  ::  New  York,  NY 

CSO  Perspectives  on  Mobile  Security 

November  2012  ::  Boston,  MA 


Who  Should  Attend? 

CSOs,  CISOs,  CROs 

CIOs  and  CTOs 

SVPs,  EVPs,  VPs  of 
IT/Security/Risk/Compliance 

Chief  Security  Architects 

IT  and  Network  Security  Executives 
and  Managers 

Governance,  Risk,  Compliance  and 
Privacy  Executives 

CSO  National  Conferences 

SSECURITY 

CONFAB 

The  Security  Confab 

April  15-17,  2012 

Hilton  La  Jolla  Torrey  Pines 
La  Jolla,  CA 


THE 

SECURITY 

STANDARD’ 


The  Security  Standard 

September  10-11,  2012 

Marriott  Brooklyn  Bridge 
New  York,  NY 


For  more  information  and  to  register, 
please  visit  www.events.csoonline.com 


For  Sponsor  Opportunities  at  a  future  CSO  event,  contact  Per  Melker  at  508.935.4729  or 
e-mail  pmelker@cxo.com. 


PRODUCED  BY 


CSO 
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Step  Back,  Look  Around 

STEP  BACK  AND  EVALUATE  YOUR 
©V‘  CAREER  AT  LEAST  ONCE  A  YEAR 

Schedule  some  time  to  get  away,  and  try  to  disconnect  for  at  least 
part  of  the  break,  says  Michigan  CSO  Dan  Lohrmann.  “Talk  about  how 
things  are  going  at  work  with  those  you  trust  but  who  have  a  different 
perspective.”  If  you’re  feeling  burned  out,  remember  that  a  career  is 
more  like  a  marathon  than  a  sprint. 

www.Gsoonline.com/articIe/641819 


Muse  your  resume  as  a  self-evaluation  tool 

Philip  Mahan  takes  Lohrmann's  idea  in  number  80  one  step 
further.  “I’m  a  little  unusual  in  that  I  update  my  resume  weekly-even 
when  I’m  happy,”  says  Mahan.  “I  use  my  resume  as  a  measuring  stick 
as  to  how  my  career  is  going.  I  look  at  it  and  say,  ‘Is  there  anything 
interesting  I  have  done  this  week  that  is  more  interesting  than  what  I 
have  on  my  current  resume?”’ 

www.csoonline.com/article/648742 
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TAKE  A  WALKING  TOUR  OF  YOUR 
COMPANY'S  SECURITY 


Do  you  have  the  right  security  measures  in  place?  Are  there  gaps  in 
your  thinking?  Consider  call  centers,  loading  docks,  offsite  data  or 
paper  storage,  point-of-sale  systems,  mail  rooms,  and  more. 

www.csooniine.com/article/511913 


Get  the  most  bang  for  your 
buck.  When  looking  for  solu¬ 
tions,  rank  possible  controls  based  on 
cost,  difficulty  and  effectiveness.  In  par¬ 
ticular,  note  controls  that  can  reduce  the 
likelihood  and  impact  of  multiple  types  of 
events. 

With  luck,  you  might  be  able  to  pay  for 
a  new  control  by  reducing  the  redundancy 
of  existing  controls. 

www.csoonline.com/article/610063 

If  you’re  hosting  a  long  off¬ 
site  meeting,  book  an  extra 
room  to  be  used  as  a  lounge.  That  way, 
you  can  keep  sensitive  conversations  about 
the  meeting  from  taking  place  in  public 
areas  of  the  conference  facility. 

And  yes,  employees  will  use  the  room 
(and  be  grateful  to  you  for  providing  it) 
if  you  keep  it  stocked  with  snacks  and 
drinks. 

www.csooniine.com/article/22028Z 


ances  to  security,  and  I  don’t  mean  this  in 
an  unfavorable  way,”  says  Gavin  de  Becker, 


author  of  the  book  The  Gift  of  Fear.  “Pre¬ 
cautions  that  are  expected  to  deter  often 
draw  some  of  their  effectiveness  from 
appearing  to  be  this  or  that.  Effective  secu¬ 
rity  professionals  know  that  demeanor 
and  appearances  are  a  language  that  can 
communicate  confidence  far  more  keenly 
than  mere  words.” 
www.csoonline.com/article/219895 


Ask  a  trusted  colleague 
to  help  you  maintain 
your  ethics.  It’s  even  easier  to  stay  com¬ 
pletely  ethical  with  someone  looking  over 
your  shoulder. 

Michigan  CTO  Dan  Lohrmann  says, 
“Find  one  or  more  accountability  part¬ 


ners  who  share  your  professional  values. 
Remember  that  accountability  is  for 
winners,  not  losers.  The  best  musicians, 
artists  and  athletes  are  accountable  to 
coaches.  Everyone  who  strives  to  improve 
needs  accountability.” 
www.csoonline.com/articie/641819  ■ 
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CSO’s  e-Mail  Newsletters 


Keep  Up  To  Speed 

On  the  Security  Issues  Important  to  You 
Delivered  right  to  your  desktop 

[7j  CSO  Update 

A  look  at  the  latest  security  news  and  analysis  on 
CSOonline.com,  delivered  twice  a  week. 

[7j  CSO  Salted  Hash 

IT  security  news  and  analysis,  over  easy,  delivered  daily. 

[7]  CSO  News  Watch 

A  recap  of  the  week’s  top  news  stories. 

|7j  CSO  Career 

A  twice-monthly  newsletter  of  career  and  leadership- 
oriented  news,  articles  and  events  plus  job  postings. 

|7]  CSO  Tech  Watch 

Twice-monthly  update  on  technologies  for  protecting  networks,  facilities, 
employees,  intellectual  property  and  more. 

[7]  CSO  Security  Leader 

Monthly  leadership-related  articles  and  reports  from  CSO,  as  well  as  tips 
for  educating  employees  and  corporate  leadership. 

|7|  CSO  Continuity  &  Recovery 

A  twice-monthly  review  of  published  material  concerning 
business  continuity  and  disaster  recovery. 

|7j  Security  Research  &  Metrics 

A  monthly  roundup  of  useful  security  research,  benchmarks  and  statistics. 

Sign  up  now  for  CSO’s 
complimentary  e-mail  newsletters 
www.CSOonline.com/newsletters 
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[  INDUSTRY  VIEW] 

By  Michael  Santarcangelo 


Creating  Signature  Work 


The  hood  was  pegged  open, 
showing  off  a  masterpiece  of 
an  engine,  and  a  small  crowd 
gathered  as  a  sense  of  anticipa¬ 
tion  built. 

People  smiled,  tapped  the  person  next 
to  them  and  pointed.  Few  words  were  spo¬ 
ken,  as  if  no  one  wanted  to  miss  what  was 
about  to  happen. 

With  a  huge  grin,  the  owner  leaned  in 
the  open  car  door,  gave  everyone  a  thumbs- 
up,  and  turned  the  key. 

The  engine  roared  to  life,  thrilling  the 
crowd. 

This  engine  sounded  nothing  like  a  com¬ 
muter  car’s;  this  engine  meant  business.  It 
was  both  throaty  and  clean.  The  spectacle 
drew  the  crowd  in.  People  nudged  forward 
to  watch  the  engine  work  and  soak  in  the 
experience. 

Surprisingly,  nobody  clapped.  But  many 
watchers  wore  a  look  of  satisfaction  mixed 
with  a  tinge  of  envy. 

I’m  an  admitted  pickup  truck  guy,  and 
the  highlight  of  my  weekend  was  look¬ 
ing,  listening  to  and  feeling  the  rumble  of 
the  engine  of  a  Roush-built  Nitemare  2007 
Ford  150.  The  truck  was  the  nth  of  100  that 
had  been  taken  directly  from  the  factory  to 
Livonia,  Mich.,  for  a  treatment  known  as 
“Roush  Stage  3.” 

While  admiring  the  engine— where 
each  part  was  carefully  selected,  designed 
and  polished— I  noticed  something  that 
impressed  me  even  more:  It  was  signed. 

It  wasn’t  just  a  badge  signifying  that  the 
truck  had  received  the  Roush  treatment, 
it  was  the  actual  signature  of  the  engine 
builder,  engraved  into  a  plate  affixed  to  the 
engine. 

Signing  the  engine  is  the  ultimate  sign 
of  confidence  in  its  quality. 


How  to  Sign  Your  Security  Work 

Security  professionals  who  take  the  same 
painstaking  approach  to  craftsmanship  and 
build  a  desire  to  sign  their  work  can  propel 
the  team  or  an  individual  to  success. 

Here  are  three  ways  to  create  a  quality 
product  worthy  of  your  signature: 

1.  Define  the  outcome 

2.  Design  the  experience 

3.  Build  a  brand  within  the  brand 
These  steps  are  effective  for  both  teams 

and  individuals,  whether  working  in  the 
enterprise  or  as  consultants.  In  the  end,  it’s 
about  the  valuing  quality  and  striving  to 
produce  work  worthy  of  a  public  signature. 

Define  the  Outcome 

Before  transforming  the  truck,  Roush 
clearly  considered  performance,  but  also 
thought  about  the  visual  appeal  of  the 
engine  and  the  experience  of  lifting  the 
hood,  and  of  starting  the  engine  and  driving 
the  truck.  With  a  clear  outcome  in  mind,  the 
engine  builder  could  deliver  excellence. 


When  it  comes  to  managing  risk  and 
improving  security,  the  outcome  tends  to 
be  less  clear  at  the  beginning.  The  word 
“security”  has  multiple  meanings,  which 
can  shift  based  on  experience  and  context. 
The  key  is  to  engage  in  enough  conversation 
to  figure  out  which  elements  are  important. 
Sometimes  the  outcome  to  work  toward  is 
something  functional  that  benefits  people, 
and  security  is  one  element  to  include. 

Having  a  clearly  defined  and  commonly 
understood  goal  makes  it  possible  to  create 
work  worthy  of  signing,  work  that  some¬ 
one  else  is  proud  of  and  wants  to  show  off 
to  others. 

Design  the  Experience 

The  Roush  team  used  a  blend  of  science 
and  art  to  create  an  experience.  The  look 
of  the  engine  and  its  compartment  was 
impressive.  The  sound  of  the  engine  firing 
up  drew  attention  from  across  the  parking 
lot.  Best  of  all,  this  truck  was  designed  for 
daily  driving. 
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Enroll  now. 


To  put  the  importance  of  design  into 
context,  consider  this:  Of  the  6.9  million 
trucks  Ford  sold  in  2007,  only  100  were 
modified  as  Nitemares,  and  the  one  I  saw 
was  identifiable  even  among  that  too  as 
number  11. 

A  truck  that  had  started  out  as  stock  was 
now  one  of  a  kind,  and  yet  was  still  used  as 
a  daily  driver.  In  fact,  it  was  special  enough 
to  be  shown  at  a  car  show  for  Mustangs. 
One  truck  out  of  the  thousands  produced 
was  on  display,  drawing  people  in,  getting 
them  to  gather  around  and  causing  a  fair 
amount  of  “oohs,”  “ahs”  and  even  some 
drool. 

In  security,  we  have  the  same  opportu¬ 
nity.  We  can  buy  stock  products  and  use 
them  in  stock  ways.  It  will  likely  help  us 
reach  a  goal.  Or  we  can  take  those  elements 
and  tweak  them  a  bit,  designing  an  expe¬ 
rience  to  meet  the  needs  of  the  people  we 
serve  (and  possibly  ourselves).  If  we  put 
in  that  extra  effort,  we’ll  likely  to  enjoy  the 
experience  and  turn  some  heads. 


Build  a  Brand  Within  the  Brand 

The  name  on  the  engine  package  is  Roush, 
but  the  signature  on  the  block  was  that  of 
the  person,  the  craftsman  who  took  the 
time  to  work  on  that  specific  engine.  While 
each  engine  package  is  the  same,  no  two 
engines  are  precisely  the  same,  and  no  two 
outcomes  are  exactly  identical,  either.  It’s 
the  individual  that  brings  the  vision  to  life. 

The  same  holds  true  in  security— to  sign 
your  name  to  your  work,  you  ultimately 
have  to  produce  individually  identifiable 
work  with  a  unique  outcome. 

However,  I’m  not  suggesting  that  you 
build  your  own  brand  independent  from 
that  of  the  business,  which  I’ve  seen  some 
people  do  recently.  Instead,  honor  the 
brand  of  the  group.  Your  brand  is  sign¬ 
ing  your  name  to  work  also  marked  by  the 
larger  brand. 

That’s  the  brand  within  the  brand:  qual¬ 
ity  of  design,  of  execution,  of  outcome.  Note 
to  security  leaders:  Is  your  team’s  work 
worthy  of  people  signing  their  names  to? 


Would  you  actually  sign  your  work? 
I’m  not  talking  about  just  appending  a  digi¬ 
tized  version  of  your  signature  to  emails  or 
inserting  it  in  a  page  in  a  document.  Really 
consider  the  process  of  signing  your  work. 

When  the  engine  package  is  finished, 
the  engine  builder  engraves  their  name  on 
a  plate  affixed  to  the  engine.  They  know 
hundreds,  maybe  thousands  of  people  will 
admire  or  examine  their  work  and  their 
name  will  be  prominently  on  display. 

This  process  is  a  thoughtful  capstone 
to  a  task  completed  by  someone  who  takes 
pride  in  their  work.  Doing  something  simi¬ 
lar  in  information  security  would  set  you 
and  your  team  apart  and  demonstrate  your 
willingness  for  others  to  examine,  admire 
and  appreciate  your  effort. 

Whether  it’s  a  policy,  training  course  or 
software  implementation,  is  your  work  good 
enough  that  you’d  sign  your  name  to  it?  ■ 


Find  Career  Catalyst  Michael  Santarcangelo  at 
twitter.com/catalyst. 


800-888-UMUC  •  umuc.edu/cyberspace 


UMUC 


University  of  Maryland  University  College 


Copyright  C  2011  University  ot  Maryland  University  College 


CYBERSECURITY 


ON  THIS  BATTLEFIELD, 

EDUCATION  IS  YOUR  BEST  DEFENSE. 


Cyber  attacks  are  being  waged  all  over  the 
world,  creating  an  unprecedented  demand  for 
trained  professionals  to  protect  our  country's 
data  assets  and  develop  cybersecurity  policies. 
Help  meet  the  demand  with  a  bachelor's  or 
master's  degree  in  cybersecurity.  Whether  you 
plan  to  work  for  Cyber  Command  taking  down 
cyber  terrorists  or  for  private  industry  battling 
hackers,  UMUC  can  help  you  make  it  possible. 

•  Designated  as  a  National  Center  of  Academic 
Excellence  in  Information  Assurance  Education 
by  the  NSAand  DHS 

•  BS  and  MS  in  cybersecurity  and  MS  in 
cybersecurity  policy  available 

•  Programs  offered  entirely  online 

•  Interest-free  monthly  payment  plan  available, 
plus  financial  aid  for  those  who  qualify 
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Certification 
Tracker  App 
(for  iPhone 
or  Android) 

Finally!  A  way  to  remember 
applications,  fees,  CPE 
credits ,  expiration  dates 
and  what  all  those  acronyms 
actually  stand  for. 


The  3rd  Annual 
CSO  Holiday 
Gift  Guide 

Make  the  holiday  merriment  last 
all  year  by  giving  your  colleagues 
the  gifts  you  want  for  yourself 


Secure  Enterprise 
Network-in-a-Box 

Includes  servers,  nodes  and  a  robust  suite  of 
ERP  and  productivity  apps.  Totally  hacker- 
proof!  (Note:  Opening  box  or  turning  on 
power  voids  warranty.) 


The  Uniform 
Compliance 
Documentation 
Pack 

Why  pay  for  auditors?  With 
47,000-odd  pages  of  pre¬ 
completed  questionnaires 
at  your  fingertips,  you 
can  proclaim  you’re 
SAS70/SSAE17/ 
IS02700  series  (all)/ 
Sarhox/PCIDSS  Level 
4- certified! 

Also  useful 
for  replying 
to  e-discovery 
requests. 


The  Everything  Scanner 

Next-generation,  my  tuchus!  Here’s  your  deep-packet- 
inspecting,  port-knocking,  physical-perimeter-intrusion- 
detecting,  biopsy-performing  all-in-one  machine. 
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TRUST  STRONG 

AUTHENTICATION 

Transform  risk  into  trust  with  RSA  SecurlD®  strong  authentication  that  builds  trusted 
relationships  with  customers,  partners,  and  everyone  your  business  connects  to. 


I  RSA 

M 
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EMC2,  EMC,  RSA*,  the  EMC  logo,  the  RSA  logo,  and  where  information  lives  are  registered  trademarks  or  trademarks  of  EMC  Corporation  in  the  United 
States  and  other  countries.  ©  Copyright  201 1  EMC  Corporation.  All  rights  reserved. 


Traditional  thinking  about 
security  can  have  a  chilling  effect 
on  your  business. 


Desktop  Virtualization.  A  better  way 
to  minimize  risk  without  compromising 
business  productivity. 

You  need  a  security  approach  that  can  evolve 
with  your  needs.  Device  proliferation  and  flexible 
workstyles  require  new  thinking. 

Citrix  desktop  virtualization  is  a  better  way  for 
companies  to  fortify  security  without  freezing 
business  productivity.  It  provides  the  foundation 
for  a  layered  security  strategy  that  enables 


desktops,  applications  and  data  to  be  delivered 
securely,  on  demand,  to  any  device. 

And  since  applications  and  data  are  secured  at 
the  data  center-and  not  at  the  endpoint-you  get 
increased  control  and  visibility  without  restricting 
worker  performance  and  business  agility. 

Citrix  desktop  virtualization.  It's  the  coolest  thing  to 
happen  to  security. 

Visit  www.citrix.com/secure 


©  201 1  Citrix  Systems,  Inc.  All  rights  reserved.  Citrix®  is  a  registered  trademark  of  Citrix  Systems,  Inc.  and/or  one  or  more  of 
its  subsidiaries  and  may  be  registered  in  the  United  States  Patent  and  Trademark  Office  and  in  other  countries. 
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